Topic: Calling a Web Master..

[Bob Wessner]

Just curious, was using IE9, highlighted a word to do a search. The search attempt (Google) resulted in a message; "Internet Explorer has modified this page to help prevent cross-site scripting." The delivered page merely had a "#" in the upper-left.

What exactly is cross-site scripting and how is it done? I'm assuming is it not a good thing from a user perspective. Is it simply some sort of redirection?

[CycleRanger]

Yes, it's reacting to the fact that using the google search sends you to google.
For example: (http://www.google.com/cse?cx=partner-pub-9323359806520211%3A1305160748&ie=UTF-8&q=engine+stand&sa=Search&siteurl=forums.sohc4.net%2Findex.php%3Faction%3Dunread&ref=#gsc.tab=0&gsc.q=engine%20stand&gsc.page=1)

It's a defensive setting to prevent possible hax.

[FuZZie]

Just curious, was using IE9, highlighted a word to do a search. The search attempt (Google) resulted in a message; "Internet Explorer has modified this page to help prevent cross-site scripting." The delivered page merely had a "#" in the upper-left.

What exactly is cross-site scripting and how is it done? I'm assuming is it not a good thing from a user perspective. Is it simply some sort of redirection?

It's a little more involved than a hax, It's usually a more to do with social engineering. Best way to understand is example chain of events.

First well use 1bank as where your heading for and this is the url:

Code: [Select]

www.1bank.com
so whoever has managed to get some control on that site just one little line that redirects you to his site:

Code: [Select]

www.Ibank.com

Your redirected to a copy of 1bank it looks good so you enter your user name and password then you'll get some popup or page saying you need to verify with your security answers so you type in your mothers maiden name or your son's date of birth .... and the page fails, you get a error and are told to return later.

What happened is you just gave a thief all your info and he knows the site already very soon your going to take a hit at 1bank sorry.

So a more historic example would be this url:

Code: [Select]

www.paypaI.com or

Code: [Select]

www.paypa!.comCan you see the problem with it bob?

[BobbyR]

You have an exclamation mark where the L should be. At a quick glance it looks fine. great example!

[FuZZie]

Would have been better bobby  if I had controlled the fonts

[Bob Wessner]

Thanks all for th info, my curiosity is now satisfied. 

[Bob Wessner]

Odd little follow-up on this. My original search was a book title enclosed in single quotes. This produced the message in question. On another site, another book title only in single quotes, produced the same results. If I search the same thing(s) independently with single quotes (i.e., in the search bar) I also get the message. However, if I search the same titles with double quotes as it the usual way to indicate a book title, I get valid results. What might the significance of the single quotes be in this regard?

[FuZZie]

I don't search books much but, it should depend on the search engines or browsers security rule set.

[Bob Wessner]

It does it on any single word or string. It's almost as though it is being interpreted as a programming literal. ??

[FuZZie]

What are you searching with?

[Bob Wessner]

What are you searching with?

Win 7, Google search engine and IE9.

[FuZZie]

I can't help much with IE as I run on Linux, I only emulate IE. Witch I do to make sure pages will display correctly in it. I do this because Microsoft has a history of ignoring the web standards (last few versions they have been improving though). I did a quick check in Google search and didn't see your issue though.

[Bob Wessner]

Thanks. Not a big deal, I was just curious.

[BobbyR]

Google has a probelm searching for a phrase. They added a feature on the side under search tools that allows you to specify exact words in exact order.