My website doesn't have a search input but it has hyperlinks to other sites should I worry about XSS(cross site scripting) vulnerability.
XSS can be not only in search input field =). Any input, which your web application outputs and does not perform filtration leads to XSS. If you have outdated JS libraries (e.g. old version of jQuery) - it can also contain vulnerable code and lead to XSS.
You should only link to websites that are secure and trusted. An example of a trusted website is one that uses https or one which is ranked high in Google.
If you link to an untrusted website, then its possible that when your visitors click on the link to the untrusted website, they are taken to a malicious website that serves malware or steals user credentials.
Related
My webmaster has an online store on a site with ssl that i would like to feature on my site. He says this could be done with an iframe. Are there any security risks in using an iframe for this shop, in example a middle man attack? Or is this safe for any customers using it because the origin is protected?
Although iFrames are, in theory, loaded securely in their own environment, there are several security issues with them including:
They can be used for ClickJacking attacks. For example a site loads another website in an iframe and then floats username and password text boxes on top of the iframe so people think they are typing these into the website in the iframe, when in fact they are not.
It's not easy to see the website the iframe is loading. For example you load a frame of badbank.com and make it look exactly like goodbank.com. The user has no idea which domain has loaded as there is no address bar nor green padlock.
In general it's suggested for websites to prevent framing using X-Frame-Options or Content Security Policy HTTP Headers to prevent framing.
For sites like you doing the framing (rather than being framed) you are therefore risking your users. So if your site is hacked then this might lead to above issues. Additionally I've worked on a couple of sites where framing suddenly broke when the framed site prevent it from being framed anymore using above headers. Which looks bad on your site.
Finally framing breaks some of the fundamental ways of using the web (e.g. Back button).
All in all I would caution against iFrames.
everyone.
I need to lock website for downloading via some windows tools and wget.
The site consists of js, html and php files.
I googled about security resource sharing, but it did not helpful for me.
Thank you.
As long as at the same time you need to have your website online available for everybody, this is not possible. If someone visits your site, the browser needs to access all files, in other words download them. You might be able to apply a few hacks to make it more difficult, but you can not prevent it completely.
If you want to restrict it to a defined audience, you can implement a login using for example HTTP Auth. How this can be achieved depends on your hosting. It might be doable using an .htaccess file in your web root or maybe through the admin interface of your hoster.
Your PHP file should be safe by the way, the above said applies to the public parts of your site (HTML/CSS/JavaScript/Images/...).
I'm currently doing front-end development for an insurance companies client portal and one of their developers is concerned about using typekit for security reasons. Does anyone know if there is a legitimate risk in using typekit on secure sites? Also, if anyone has some documentation on this that I could send to this developer that would be really helpful, I (surprisingly) wasn't able to find anything on the typekit site that would put his mind at ease.
Thanks!
There are different ways of including Typekit fonts. When you host your own CSS with #font-face rules pointing at font files on Typekit servers that's generally fine.
In this case Typekit will receive the URL of the page the user is browsing as a referrer, but there should not in general be sensitive information in the URL so that should be OK. (That may not be true if you have something like a reset password link - if you do, take care to ensure such URLs can only be accessed once so the ID in the link is worthless afterwards.)
However there is a variant where you include a script tag pointing at them:
<script type="text/javascript" src="https://use.typekit.com/some_id.js"></script>
This is a bad idea if your site does anything sensitive, because it gives typekit complete control over everything a user does on your site. If they went evil (or were compromised), they could steal any passwords typed on your site, delete all the user's data on the site, redirect the user to browser exploits, and so on.
In general you should never include remote scripts or stylesheets from anyone you don't 100% trust with the security of your site.
Any time you embed content, whether it be JS, CSS, fonts or anything else, from an external source to a sensitive page, you're increasing your attack surface. This does not necessarily mean that there is, or will be, a specific attack, but it does create more potential ways in which your site could be compromised.
Indeed, there have been real-world attacks using web fonts even without JavaScript, both based on browser / OS bugs and simply based on interactions of deliberate browser features. The Firefox security extension NoScript blocks CSS #font-face by default for that reason.
If you want to use a custom font on your secure site, the safest way to do it is to host it yourself — either on the site itself, or, perhaps better yet, from a separate no-cookie domain which is under your control, but isolated from your main website content by browser same-origin policies.
I am running a website based on php on a server run by a large host. My goal is very simple. Include link on my site to google search where I dynamically give the search term.
Starting with the url that appears in the address bar, I've narrowed the syntax down to
http://www.google.com/search?q=test
This works when I type it into the address bar. However, when I launch from the server, it redirects to:
www.google.com/webhp...lots of characters
There are references on the web to webhp being related to a virus but I'm pretty sure my host does not have any viruses on its servers.
Does anyone know proper way to launch simple google search from a link? Is a straight link forbidden? I am Willing to use JS to push link to client if necessary (which I use for google maps at Google's recommendation due to usage limits) but want to keep things as simple as possible. This link is just to save people a few clicks.
Thanks for any suggestions.
Simply use the urlencode Method
<?php
echo '<a href="http://www.google.com/search?q=', urlencode($userinput), '">';
?>
If you wish to do it with Javascript the answer is here: Encode URL in JavaScript?
Try to track down the "Url Rewriting", I think its a virus you need to remove: http://www.ehow.com/how_8728291_rid-webhp.html
WebHP is a computer virus that automatically sets your homepage to a
fake Google site, known as Google.com/WebHP. This virus will also
randomly open windows or tabs to load this website, as well as
generate pop-ups and fake errors. Also installed with this virus is a
rootkit which can disable your PC's firewall and other methods of
security. If left untreated, the WebHP virus allows hackers to
remotely access your computer and steal personal information, such as
credit card numbers and email passwords.
Is it possible to load a web page and then reliably and permanently prevent the browser (and the potentially hostile web page) to disclose any user input made on that page?
Cross browser?
Use case would be an online utility exposing some service on personal information. This utility will not need to make any server requests after it is loaded.
The following procedure explains the question, but is probably not sufficient nor efficient:
Load web page
Go offline
Interact with the web page
Close the page
Remove cookies
Clear web storage
Go online