General Chat

Top tip - using the Genes Reunited community

Welcome to the Genes Reunited community boards!

  • The Genes Reunited community is made up of millions of people with similar interests. Discover your family history and make life long friends along the way.
  • You will find a close knit but welcoming group of keen genealogists all prepared to offer advice and help to new members.
  • And it's not all serious business. The boards are often a place to relax and be entertained by all kinds of subjects.
  • The Genes community will go out of their way to help you, so don’t be shy about asking for help.

Quick Search

Single word search

Genes Extras

Genes Reunited subscription bonuses

As a way of saying thank you to our subscribers, we have launched Genes Extras. You'll find exclusive competitions and discounts on family history magazines, days out and much more.

Take me to Genes Extras


  • New posts
  • No new posts
  • Thread closed
  • Stickied, new posts
  • Stickied, no new posts

cross site scripting

Page 0 + 1 of 3

  1. 1
  2. 2
  3. 3
  4. »
ProfilePosted byOptionsPost Date


eRRolSheep Report 29 Jan 2013 08:42

Rollo I agree.
Enabling the XSS filter is just one (small) thing users can do. Sure there are numerous ways around it but better some protection than none at all.
Glad you have left the dark side and moved over to Linux.


eRRolSheep Report 29 Jan 2013 08:36

Elizabeth - you are disabling cross site scripting by enabling the XSS filter - sorry if I confused you.


RolloTheRed Report 29 Jan 2013 01:25

A follow up for Mr Errol - as I said disabling XSS will not defeat a determined attack.
Here is one example from a security site. The real thing is a little more devious.

Simply, the attacker needs to include a remote script, allowing ANY action to be performed in the security context of the vulnerable site. The easiest way is to perform a document.write, for example:

')"'>a link

The trouble with this approach is two fold. Firstly, the introduction of angle brackets hits the .NET ValidateRequest protective measures, and also modern browser XSS protection - which basically works by looking for "unsafe" client supplied input being reflected without encoding. So how can we bypass?

First step, encode - URL encode:

a link

This basic evasion won't work for two reasons; firstly the browser will decode the URL and detect user supplied input is being reflected in the responce. Secondly, the appliction will decode the parameter and detect that unsafe characters are being sent...back to the "A potentially dangerous..." error message. What the attacker needs to remember in this instances however is we have already proved that we can execute arbitrary code - as illustrated in the pop-up box in the first example. So let's apply a second round of encoding:

a link

Now in this example we have no unencoded angle brackets and we have no [single pass] URL encoded angle brackets. In other words we have just bypassed both .NET ValidateRequest and modern browser XSS protective measures. The beauty of this attack is there is no trivial solution to the problem, other than executing the JavaScript code to assess whether or not it's malicious in nature; not a trivial task, and dangerous in its own right.

So there you go...bypass both .NET and modern browser XSS protection with a simple double URL encode of the infection vector*. REMEMBER POINT TWO OF MICROSOFT'S ADVICE - ENCODE [OR STRIP] THE OUTPUT - do not rely on input validation alone!



RolloTheRed Report 29 Jan 2013 01:15

Dear Mr Errol, here we are all Linux people except for charity work we do which tends to involve Windows.

The many weasel ways in which all sorts of malware and adware get into users machines are too numerous to list here and beyond the ken of most. Suffice it to say that the standard "security" options inc disabling XSS are not very challenging if you work on the dark side.

The ones that give me the crawlies the most are rootkits which go on to run a key logger. As it is next to impossible for ordinary people to detect these kits they shuld be very wary of using online banking. That is why some banks issue a device to generate a one time key which a logger cannot use.

Windows XP running IE (any version) is by far the most vulnerable ; the easiest and cheapest fix until Jan 31st 2013 is to upgrade to Win8 as Microsoft are doing ug licences online for about £ 35. After that the price goes up by £ 100. Also Win8 will run ok on oldish hardware that finds Win7 a bit of a stretch 'cos the code is more efficient as well as a tad more secure.

Any kind of support including security for XP will stop in about a year.


Elizabeth2469049 Report 29 Jan 2013 00:07

ES - you orignally said "enable" - so I checked and I already had the dot there (though it didn't mention XSS specifically" - I have XP) - now you say "disable"). Haven't had any virus trouble, did scan. Did I misunderstand?


eRRolSheep Report 28 Jan 2013 21:44

Rollo are you employed by the company marketing Windows 8 by any chance? hehehe

Yes dual booting is very useful but sadly beyond the skills of many computer users - I use dual boot machines, mainly with Linux and in particular Ubuntu.

The point I was making about XSS was that at the very least you have it blocked.


RolloTheRed Report 28 Jan 2013 21:30

I feel sorry for people with no technical ability trying to keep a Windows system clean. It is next to impossible.

For instance the popular Lavasoft AdAware program has been rre-written under new owners Solaria. The UK tech site "The Register" has this to say about Solaria:

"The new owners, Solaria who bought the company (Lavasoft) in January this year have also been linked to a number of misleading websites and were accused in 2007 of selling free versions of ad-aware through cyber-squatting sites. The founders of Solaria have also been linked to other companies selling porn online, re-skinned versions of P2P filesharing software and charging customers for software they didn't order."

It may not be a surprise then to discover that the free version of AdAware installs Blekko. Here is a useful commentary about Blekko:

You couldn't make it up.

Believe me if you think that clicking a few options about cross site scripting will secure yr box then you are a super duper optimist. The trouble is that Windows (any version) is congenitally disastrous at security and only slightly better at being reliable. The latest versions do not have any better security at the kernel, just thicker armor which the black hats will soon find their way through.

You can see and read about the results every day - Stux net, bizarre displays at car parks and supermarkets, bot nets it goes on and on. Indeed it is so bad that the German govt is withdrawing altogether from using Windows and has advised its citizens to do the same. What more can I say?

For those who really must use Windows 'cos it is cuddly and familiar ( ? ) then at the very least ensure that if it is XP you have it fully patched - the best AV program is Microsoft;s freebie oddly enough - and run a firewall AND DON'T RUN IE ANY VERSION. No browser is secure in XP but IE is by far the worst. Now is the time to get yr cheap Win8 UG - offer expires 31st Jan 2013.

Alternatively switch to Linux if you are poor or Apple if you are not. Either way you can dual boot Windows in case of need.


eRRolSheep Report 28 Jan 2013 20:03

Just to clarify, cross site scripting (XSS) is not in itself a virus (as stated on another thread) but can (maybe) be used to steal information which is why it is a good idea to block as discussed earlier.
This, in addition to decent security settings and software in general, is just a part of your armoury in combatting nasties.
Rollo is quite right about freeware (and shareware) too.
If you download something it is always wise to Google it first to see if there are any reported issues. Also, when downloading never click on Run. Instead, choose "Save as" and save the file in a suitable location. You can then right click and scan it with your anti-virus software before running it.


RolloTheRed Report 28 Jan 2013 11:45

There are more ways around attempts to block cross site scripting then there are fleas on an old cat. Sure, use the browser settings to block it but it won't work for cunning coding. That is why a great many honest sites have ended up as unwitting targets for pay day loans sharks.

By far the most popular vector for getting this stuff into the machine are ads. So AdBlock will stop much of this nonsense. You can always enable ads on a site by site basis where you the ads may be useful to you. fwiw GRU does not do all that well from ads anyway which is why the subs are going up :-(

Another very common way all this crap gets into computers is freeware, some of it very popular. The "freeware " offers to install stuff such as search bars etc etc. People don't read the install and just click, click, click like mad.... Once installed these add ons act like a honeypot for more, often dubious ads, and create a huge security hole. The add ons can be a real pain to remove.

Sometimes they can be avoided by reading the install carefully and deselecting but often the "right" to install the junk is deep in the t&c. Nearly all this malware once installed uses cross site scripting but is usually slips under the radar. In the worst cases people end up with a root kit.

I often wonder if the people moaning long and hard at problems with connection to GRU ever consider what kind of grot they may have running on their machine.

From a security point of view Apple products are easily the best, any version of Internet Explorer the worse and especially IE6,7,8.

XP is really a shot fox. Until the end of this month you can still get a cheap ug licence for Win8. I have found it fairly easy to make it look and work pretty well the same as Win7 with the possible bonus that you can run an "app" when needed. The tile UI is ok on tablets but a total disaster on real computers. MOre to the point of this post Win8 security out of the box is fairly good.


PatrickM Report 28 Jan 2013 00:37

Quote ErrolSheep

it is probably purely caused by click-through adverts

End Quote

I am 99% certain that it is caused by the adverts, and its not the first time the adverts on here have caused problems. The problem being the adverts are not being screened by the advert host, not GR. We have had to put up with viruses, malware etc coming in from the adverts from the sites which GR uses for supplying the adverts ever since day one as to say.


eRRolSheep Report 27 Jan 2013 23:41

no please don't delete - valuable advice


Susan10146857 Report 27 Jan 2013 23:06

I realise that Errol but as ad blockers were mentioned I thought I would add the information. I will delete if you wish.


eRRolSheep Report 27 Jan 2013 22:02

it wasn't about blocking ads - more about blocking malicious code that could be used potentially in some cases to steal personal details etc


AnninGlos Report 27 Jan 2013 22:01

I don't get adverts on my main PCM, do on the IPad though


Susan10146857 Report 27 Jan 2013 21:58

If you have an iPad or even iPhone there is an Adblock app


eRRolSheep Report 27 Jan 2013 21:33

Supercrutch yes - thank you
That means your settings are correct
My original post was because I was concerned that the warning was popping up


supercrutch Report 27 Jan 2013 21:30

If you have correct settings on IE your pop up will say

'Internet Explorer has modified the content to help prevent cross site scripting' not verbatim but you get the drift.


eRRolSheep Report 27 Jan 2013 21:30

it is probably purely caused by click-through adverts and nothing to worry about (unless someone is foolhardy enough to click on them!)
I reckon it just highlights how careful we should be


DazedConfused Report 27 Jan 2013 21:25

Oh and thank you all very much - you are all so very helpful to a non techie



DazedConfused Report 27 Jan 2013 21:24

As I have not seen this problem on any other sites I visit such as Rootschat or Facebook, could it be someone hacking through this site if so should it be reported to the GR team?