kentoh - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

How can enterprises prevent same-origin policy XSS vulnerabilities?

Researchers warned about the rise of a new cross-site scripting flaw involving same-origin policy. Expert Nick Lewis explains the vulnerability and how to prevent falling victim.

I read about a recent Internet Explorer vulnerability involving cross-site scripting (XSS) that may become popular among threat actors. How can these same-origin policy XSS vulnerabilities be exploited, and what is the best way to prevent them from putting our users at risk?

Threat actors, pen testers and other security researchers will always build upon prior working exploits or attack techniques. This is especially true for security research on Web browser security, as it has become increasingly difficult to exploit fully patched Web browsers. This new Internet Explorer attack in an attacker's toolbox will help him focus on the specific target or attack being performed so he doesn't need to create everything from scratch.

David Leo, a researcher with U.K.-based security firm Deusen, disclosed a universal XSS vulnerability affecting Internet Explorer 9, 10 and 11 that allows an attacker to use a malicious website to change the contents of one of the other tabs open in a browser. This directly violates the same-origin policy that stops one website open in a browser window or tab from modifying the contents of a different website.

Protecting against these sorts of same-origin policy XSS vulnerabilities is critical in modern Web browsers because a user might, for example, be browsing entertainment websites while performing online banking in a separate tab. Having an attack originate from the entertainment website and affect the online banking would be a serious vulnerability.

Enterprises and individuals can best protect themselves by keeping their Web browsers up to date and by using a network-based antimalware device that can detect when malicious webpages are accessed.

Ask the Expert:
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn more about preventing XSS attacks

Find out why major websites aren't catching XSS vulnerabilities

This was last published in October 2015

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)