Everyone knows the internet is a dangerous place. Visit the wrong web site and it might instantly install malware on your device that steals your data or locks up your files and holds them for ransom.
Most people know they should be careful when surfing the web. Alert users, for example, are careful to make sure before clicking that a link is actually for the website they want to visit, and not some spoofed copy with a misleadingly similar — but not identical — URL.
But what if a legitimate site has been infected without the owner’s knowledge? All the checking and caution in the world will not save the unfortunate visitors who land on the site before the malware’s discovered and removed.
The JavaScript Problem
A new report from Tala Security claims that an astounding 97% of all websites have some form of vulnerability to JavaScript Cross-Site Scripting (XSS).
With XSS, an attacker can insert malicious code on someone else’s website. When a user visits the website, the malware will run on the user device. For example, a dating website might hide the real name and email address of users for privacy reasons. Jane wants to know the real names of people on the site. She writes a script that will run on other people’s devices when they visit HER profile, and loads it up onto the site. When Dave visits Jane’s profile, the script runs and steals Bob’s information from his own device.
The report indicates that 92% of websites expose data to an average of 17 different domains. The JavaScript connections to all these different domains can be conduits for infections getting into the website.
Companies seem to be aware of the risk, but the measures they take are frequently ineffective. The report claims that new security policies were implemented for 30% of the websites analyzed; yet only 1.1% of the web sites were found to have EFFECTIVE security measures in place.
Those appalling statistics mean that it’s safe – or rather, unsafe — to assume that any website you visit, even sites you trust as legitimate, could be infected by code inserted via JavaScript from external domains.
Protecting Against JavaScript XSS
The best way to protect against web-based attacks, including XSS, is to keep all active web content off of endpoints. Of course, not browsing at all is not in the cards for any user today. But Remote Browser Isolation (RBI), a Zero Trust solution that does not count on any site to be safe, opens all websites in a virtual browser, located remotely in an isolated container in the cloud. No active content ever reaches the browser on the user device – only safe rendering data that provides a natural, fully interactive browsing experience. The isolated container is destroyed at the end of each session, so no malicious code can persist.
The Mice are Winning. The Best You can Do is to Keep Your Cheese Safe.
Without doubt, some smart white-hat cybersecurity guy will find a way to prevent JavaScript XSS. But before he can wipe his brow and say, “Done,” some equally smart person in a black hat will have devised an equally smart new way to inject malware into legitimate sites.
Don’t depend on the cat-and-mouse game of the malware development-infection-detection-eradication cycle. Let Remote Browser Isolation airgap your endpoints from all website content, safe from whatever new, unknown malware has hitched a ride on the website you need.
