To see what can happen, consider this attack scenario: You find yourself surfing to a site belonging to an attacker, or even an innocent Web site that hosts content from millions of other users, such as a social networking site, an auction site or a Web-based email site. (An innocent Web site is just as likely to propagate an XSS flaw if it doesn't properly scrub user input to filter out browser scripts.) Once there, evil script programs are dutifully passed down to your browser. The browser then runs the scripts, interpreting them as being sent by the site.
"And then what?" you ask. Well, mayhem ensues. A script, running in the browser, can do anything you can do on that site: bid on an auction, buy stuff or expand your buddy list to include unsavory people. But it gets worse. The script could scrape your browser history to see if you've visited any embarrassing Web sites, and in turn forward the information back to the attacker. The script could also use the browser to start scanning other Web servers, perhaps even those inside of your corporation's firewall.
It's astounding what is being done with browser scripts these days. And, all of this is possible just because you surfed to the attacker's site, or viewed an attacker's content on a third-party location. For more details on these threats, check out the startling presentation by Billy Hoffman at this year's Shmoocon show, an East Coast hacking convention.
So in a nutshell, an attacker can use the browser to wield bot-like control of a victim's machine. Sure, there are restrictions on what scripts can do in a browser. They can't directly access any file in the file system or run arbitrary programs on the machine, for example, but clever researchers are finding ways to either dodge those restrictions or live within them to achieve powerful controls.
What can you do to defend yourself? On highly sensitive machines, you may want to disable browser scripts altogether. Also, make sure you keep your antivirus tool up to date. And, watch this trend carefully. There's big stuff coming in this realm, to be sure.
This was first published in October 2007