Everyone knows the internet is a dangerous place. Visit the wrong web site and it might instantly install malware on your device that steals your data or locks up your files and holds them for ransom.
Most people know they should be careful when surfing the web. Alert users, for example, are careful to make sure before clicking that a link is actually for the website they want to visit, and not some spoofed copy with a misleadingly similar — but not identical — URL.
But what if a legitimate site has been infected without the owner’s knowledge? All the checking and caution in the world will not save the unfortunate visitors who land on the site before the malware’s discovered and removed.
With XSS, an attacker can insert malicious code on someone else’s website. When a user visits the website, the malware will run on the user device. For example, a dating website might hide the real name and email address of users for privacy reasons. Jane wants to know the real names of people on the site. She writes a script that will run on other people’s devices when they visit HER profile, and loads it up onto the site. When Dave visits Jane’s profile, the script runs and steals Bob’s information from his own device.
Companies seem to be aware of the risk, but the measures they take are frequently ineffective. The report claims that new security policies were implemented for 30% of the websites analyzed; yet only 1.1% of the web sites were found to have EFFECTIVE security measures in place.
The best way to protect against web-based attacks, including XSS, is to keep all active web content off of endpoints. Of course, not browsing at all is not in the cards for any user today. But Remote Browser Isolation (RBI), a Zero Trust solution that does not count on any site to be safe, opens all websites in a virtual browser, located remotely in an isolated container in the cloud. No active content ever reaches the browser on the user device – only safe rendering data that provides a natural, fully interactive browsing experience. The isolated container is destroyed at the end of each session, so no malicious code can persist.
The Mice are Winning. The Best You can Do is to Keep Your Cheese Safe.
Don’t depend on the cat-and-mouse game of the malware development-infection-detection-eradication cycle. Let Remote Browser Isolation airgap your endpoints from all website content, safe from whatever new, unknown malware has hitched a ride on the website you need.