Security Paranoia

Quick answer is NO.

I have been looking into web 2.0 and AJAX lately. AJAX is great. No doubt about that. Everyone loves it and it does provide killer experience for users. But there is cost of it. AJAX and other web 2.0 technologies allows use of cross-site scripting and XMLHttpRequests, which can open up yet another door for vulnerabilities.

Cross-site scripting vulnerabilities are now far more attractive targets than more notorious bugs such as buffer overflows, according to new figures from Mitre, a U.S. government-funded research organization.

Buffer overflows have long been one of the most common types of bugs attacked by malware, with Intel and Advanced Micro Devices (AMD) even building in hardware support for an anti-buffer overflow technology called NX (No Execute) or XD (Execution Disable).

But a shift is under way, according to Mitre’s findings. While buffer overflows affect executable files written in languages such as C, the increasing popularity of cross-site scripting (XSS) bugs indicates attackers are looking more at programming languages typically used for Web applications, such as Java, .Net and PHP.

Client-side scripting languages generally include same-origin policies, which allow interaction between Web objects and pages only as long as they come from the same domain and over the same protocol. XSS bugs allow malicious Web sites to find ways around these policies, potentially accessing sensitive data in other objects or browser windows.

The second most popular type of attack was SQL injection, which allows attackers to execute malicious SQL statements within a database. Third most popluar were PHP “include” vulnerabilities, which can allow attackers to execute arbitrary script on a server by including them in an existing script.

Out of about 20,000 reported vulnerabilities recorded by Mitre so far this year, 21.5% were XSS, 14% were SQL injection and 9.5% were PHP includes. Buffer overflows came in fourth, at 7.9%.

So far, I have found Mozilla’s Firefox better then IE in terms of security.

It claims to provide a safer browsing experience out of the box, but some of the best security features of Firefox are only available as extensions. Here’s a roundup of some of the more useful ones I’ve found.

• Add n’ Edit Cookies
  This might be more of a web developer tool, but being able to view in detail the cookies that various sites set on your visits can be an eye-opening experience. This extension not only shows you all the details, but lets you modify them too. You’ll be surprised at how many web apps do foolish things like saving your password in the cookie.
• Dr. Web Anti-Virus Link Checker
  This is an interesting idea — scanning files for viruses before you download them. Basically, this extension adds an option to the link context menu that allows you to pass the link to the Dr. Web AV service. I haven’t rigorously tested this or anything, but it’s an interesting concept that could be part of an effective multilayer personal security model.
  
• FormFox
  This extension doesn’t do a whole lot, but what it does is important — showing a tooltip when you roll over a form submission button of the form action URL. Extending this further to visually differentiate submission buttons that submit to SSL URLs would be really nice (as suggested by Chris Shiflett).
  
• FlashBlock
  Flash hasn’t been quite as popular an attack vector as Javascript, but it still potentially could be a threat, and it’s often an annoyance. This extension disables all embedded Flash elements by default (score one for securing things by default), allowing you to click to activate a particular one if you like. It lacks the flexibility I’d like (things like whitelists would be very handy), and doesn’t give you much (any?) info about the Flash element before you run it, but it’s still a handy tool.
• LiveHTTPHeaders & Header Monitor
  LiveHTTPHeaders is an incredibly useful too for web developers, displaying all of the header traffic between the client and server. Header Monitor is basically an add-on for LiveHTTPHeaders that displays a chosen header in Firefox’s status bar. They’re not really specifically security tools, but they do offer a lot of info on what’s really going on when you’re browsing, and an educated user is a safer user.
• JavaScript Option
  This restores some of the granularity Firefox users used to have over what Javascript can and cannot do. I’d like to see this idea taken farther (see below), but it’s handy regardless.
• NoScript
  This extension is pretty smooth. Of all the addons for Firefox covered here, this is the one to get. NoScript is a powerful javascript execution whitelisting tool, allowing full user control over what domains allow scripts to run. Notifications of blocked execution and the allowed domain interface are nearly identical to the built-in Firefox popup blocker, so users should find it comfortable to work with. NoScript can also block Flash, Java, and “other plugins;” forbid bookmarklets; block or allow the “ping” attribute of the tag; and attempt to rewrite links that execute javascript to go to their intended donation without triggering the script code.The one thing I’d really like to see from this extension would be more ganularity over what the Javascript engine can access. Now it’s only “on” or “off,” but being able to disable things like cookie access would eliminate a lot of potential security issues while still letting JS power rich web app interfaces.
• QuickJava
  Places handy little buttons in the status bar that let you quickly enable or disable Java or Javascript support. Note that this will not work with the latest stable Firefox (1.5.0.1). Hopefully a new version will be available soon.
• ShowIP
  This is another tool that isn’t aimed at security per se, but offers a lot of useful information. ShowIP drops the IP address of the current site in your status bar. Clicking on it brings up a menu of lookup options for the IP, like whois and DNS info. You can add additional web lookups if you like, as well as passing the IP to a local program. Handy stuff.
  
• SpoofStick
  The idea with this extension is to make it easier to catch spoofing attempts by displaying a very large, brightly colored “You’re on ” in the toolbar. For folks who know what they’re doing this isn’t wildly useful, but it could be just the ticket for less savvy users. It requires a bit too much setup for them, though, and in the end I think this is something the browser itself should be handling.
  
• Tamper Data
  Much like LiveHTTPHeaders, Tamper Data is a very useful extension for web devs that lets the user view HTTP headers and POST data passed between the client and server. In addition, Tamper Data makes it easy for the user to alter the data being sent to the server, which is enormously useful for doing security testing against web apps. I also like how the data is presented in TD a bit better than LiveHTTPHeaders: it’s easier to see at a glance all of the traffic and get an overall feel of what’s going on, but you can still drill down and get as much detail as you like.

Got more Firefox security extensions? Leave a comment and I’ll collect them in an upcoming post.

If you are heavy firefox user ( like me ), there is good news in terms of security. McAfee SiteAdvisor is available as “extension”. It is good thing. . I recently installed extension on my firefox and it has been very helpful.
If you are IE user, it is not that bad. Plugin is available for IE too.

What is it ?

McAfee SiteAdvisor helps protect you from all kinds of Web-based security threats including spyware, adware, spam, viruses, browser exploits, phishing, online fraud and identity theft. Their automated testers continually patrol the Web to browse sites, download files, and sign-up for things with e-mail addresses. As you search, browse, download or register online, SiteAdvisor’s safety ratings help you stay safe and in control.

It is FREE to use. I think that it is great tool to help identify “bad” sites. We do need some sort of database to do so.

How does it look?

Here is screen shot of search result page

Green color: Good to go !

Red Color - Use caution

If you are not using it, I will strongly recommend it to use it.

Download links

From download.com ( For firefox )

From download.com ( For IE )

http://www.siteadvisor.com/