I don't know a whole lot about cross site scripting. I think it means that when someone visits a website malicious code embeds itself into your browser and follows you on to other sites that you visit. Is it true that by simply clearing your browsing data cache from time to time you can defend against this?

I don't think so
they can even store themselves on your system

Whenever I surf the net and scan my system with spyhunter 4 It detects lots of malwares,some of them stored on my hard drive(they came from websites)

Best anti malware i came across is spyhunter.You can download it and scan your system but its very costly,subscription is only for 6 months

I suppose you could run browsers in virtual machines for everything but important things like banking...

Or probably more convenient but less secure is to use the VM for the important stuff.

The idea is that you're running a virtual OS so it shouldn't be able to effect things on your actually OS... And vice versa.
I really haven't got a clue but it's just a thought, if anyone else knows if this would actually work I'm interested.

I don't think so they can even store themselves on your system Whenever I surf the net and scan my system with spyhunter 4 It detects lots of malwares,some of them stored on my hard drive(they came from websites)

you realize you just contradicted yourself with those two sentences? and in response to the first one yes you can, its called a cookie.

[cough]Best anti malware i came across is spyhunter.You can download it and scan your system but its very costly,subscription is only for 6 months [/quote] *cough* malwarebytes, superantispyware, avast *cough* there are others that work amazingly well. i cant recall them off the top of my head because i dont use antivirus.

i contradicted myself
I say I dont think so that to this:
Is it true that by simply clearing your browsing data cache from time to time you can defend against this?

And when i said on your system I ddid not mean cookies

By the way show me proof that any thing is better than spyhunter in detecting malwares
There is nothing as far as I know If you say anything is better show me swome links

those sentences were so poorly constructed im not even going to pretend to know what you mean

When I learn about stuff like cross site scripting it just makes me want to go off the grid completely. I think the US government has methods that can allow them to browse our hard drives just as easily as we browse the net.

SatsumaBenji wrote:

I suppose you could run browsers in virtual machines for everything but important things like banking... Or probably more convenient but less secure is to use the VM for the important stuff. The idea is that you're running a virtual OS so it shouldn't be able to effect things on your actually OS... And vice versa. I really haven't got a clue but it's just a thought, if anyone else knows if this would actually work I'm interested.

This would probably be a good idea but it would be very inconvenient to open a VM every time I wanted to go online. I wonder if there are people who actually do that?

@ flint: I do all of my banking through a sandbox, does that count? You don't need to guard your Google searches, just the important stuff.

You guys seem to be a bit confused about what XSS is. It's not an attack vector or a payload on it's own, it's part of what is called a tool chain. What an XSS exploit does is run a script on the host (i.e. your machine) in a way that makes it seem like it came from a different site that the host is connected to. For instance a banner ad could launch an XSS attack and make your browser think that the script it loaded to your browser came from this site. It's just a way for a script to spoof it's origin. Now if you had given the site it is spoofing permission to read and write to you hard drive, launch flash applications or run JavaScript applets, then what ever payload that script carries would have the same level of access.

@Computergeek01 so is there a sure fire way to protect against this? I have a no script plugin on my browser does that mean I am safe?

IMO applying the principle of least privilege to your browser sessions should stop most XSS scripts from kicking off anything you don't want. For example: if you are on a site that you don't want to run flash from then don't allow that site to run flash, that way even if there is an XSS attack it wouldn't be able to launch any exploits related to that frame work. JavaScript is another big one, this one is much harder to manage though since most sites use some form of it and it is historically full of security holes.