How safe is Safari against XSS attacks?

I've been using Safari for a while now, and I've looked for something like no-script alternative for Safari. no-script is a good protection in Firefox against any kind of malicious websites or scripts. is there an extension to which could provide a way to make a white list or a black list in Safari? or is it possible via an alternative method?

Hi
Hi
extensions are unlikely to offer all the function of noscript - http://hackademix.net/2010/06/08/before-you-ask-no-noscript-on-safari/
however, at https://extensions.apple.com/ there's
http://homepage.mac.com/drewthaler/jsblacklist/ although it's a long way from noscript - worth a trwal through the list at apple, maybe.

Similar Messages

How safe IS Safari exactly?

Okay, well I was doing the common application this weekend. It asks you for your Social Security number, and I entered it without thinking twice... However I remembered a post on Macrumours about how Phishing was common among Mac users because we used Safari, so I just got hit by an attack of paranoia. Though I still don't really understand exactly why the social Security number is so important, I do understand that it is.
Is there any chance that my number could have been stolen? D=
I don't really think that entering the number on the college application is the same as entering credit card information, but I AM really afraid of identity theft... What do you guys think? =(
Is there anything I should do? Any way I can find out if I have some sort of spyware that could have done this?

How safe IS Safari exactly?
No browser in existence can prevent a user from voluntarily entering private information online. I believe people have an unreasonable expectation of what a browser can and cannot do in terms of protecting their privacy. Where phishing scams are concerned all a browser can do is warn the user that a particular site is questionable based on some database (Safari apparently uses Google's anti-phishing database).
And you heard wrong, very wrong. Phishing is NOT anymore common using Safari than any other browser. The people posting this tripe have personal agendas. Contrary to belief if you read something on the internet it is not necessarily or even commonly true.

How safe is safari on iPhone?

Can you get viruses on your phone using safari or email?

Technically you can't download files onto the system from Safari. And mail attachments appear to use some form of Safari for viewing, so you're as safe on iPhone as on anything.
Kevin

How safe is Safari from spyware?

Any input from the community on the safety of Safari with Mac OSX 10.6 from spyware would be appreciated. Also, the feeling of any additional protection needed.

Kurt Lang wrote:
WZZZ,
Many browser exploits are delivered via JavaScript.
That would be Java, not JavaScript. Or at least the recent Flashback exploit, and the others that followed trying to use the same flaw were all Java related. Can't say I've seen an exploit related to JavaScript.
Also, Safari for Snow Leopard doesn't appear to be getting any more updates, consequently it is missing further security patches.
A new security update for Snow Leopard was released just last week. Though I wouldn't hold out much hope we'll see too many more.
Kurt, I was talking about JavaScript, specifically certain browser exploits, not Java. Have a look through this and this to see what I was talking about.
And I wasn't talking about the recent Security Update for Snow (tell me about it!) I meant that Safari 5.1.7, apparently being the final version for Snow, didn't get the security patches that the new Safari for Lion or ML got. It's being left behind.

How do you protect yourself against DDOS attacks?

I'm starting a new job soon for an employer who has had the occasional ddos attack against their website.
Anyways I was wondering, how do you guys protect yourselves against ddos attacks?
The way my employer fought against it last time was rather unelegant and a sort of lucky situation. They noticed that all the attacks came from IPs which where located in foreign countries, so they simply blocked entire ip ranges which werent from the country they were providing the service for.
This seems like quite a drastic measure to me. After all, one goal of my employer is to become more international, and even if you cater only to local clientele, plenty of legitimate users could be across the border.
Specifically protecting Apache against DDOS attacks is what I would be interested in.
Can anyone suggest some software or setup I should research for this?

A colleague of mine recently had one of his own servers under a DDOS attack. Nginx helped out a bit. But the holy grail in this case was Fail2ban.
Now, usually a DOS would mean that massive requests are issued within a short time. Such behaviour is easily identified and blocked. But how do you react when its distributed and each individual node is issueing requests at a normal rate?
Well in my tests I came to the conclusion that its all about the difference in typical behaviour of legitimate visitors to a site and automated requests as in the case of a DDOS attack.
For example, while a DOS bot might not issue requests at an alarmingly high rate (slow and steady wins the race), but will continually issue requests for hours.
So rather than trying to catch "burst" behaviour with requests crossing a certain threshold in a short amount of time, I instead configured fail2ban to check for IPs which crossed a certain threshold after an hour, and then block that IP for 24hours.
It might take a while to find the sweet spot. And it wont be effective immediately. But with a little patience the blocklist started to fill up, and after a few hours the DDOS'ers seemed to have run out of IPs from which to attack.
It makes sense if you think about it. A legitimate human user, will go to a site, and spend most of their time reading content, rather than klicking links. Well, usually anyways.
Also, I've noticed that bots always seem to hit the same URL. Meaning, the main url of the site, and not selecting any links within the site. While I suppose that it would be trivial to configure a bot to act more legitimately and have it actually klick through all available links, I think it kind of defeats the purpose. Or at least most script kiddies won't go that far.
If you know your way around with REGEXP, I'm sure you could come up with some really nicely custom-tailored rules for fail2ban to use in identifiying and blocking ips. So for example, rather than simply counting ANY connection made in the http logs, you could concentrate on IPs which only and continually access the main the url, over and over again.
Legitimate users will most likely click on other links as well, so if you manage to exclude these kinds of accesses from Fail2ban's counting mechanism, you minimize the chance of locking out legitimate users.

How do I protect against WPA de-authentication attacks?

Source: http://superuser.com/questions/216477/how-do-i-protect-against-wpa-de-authentica tion-attacks
Someone is constantly sending deauth packets to me.... =(
Is there a way to maybe ignore de-auth packets? I know sometimes they are legit... But I'm not clear on when.... maybe if there was a way to detect when they were from the router... or something... not ... that... that also couldn't be forged... bah... =(

Not much you can do about it.
http://www.netstumbler.org/f9/block-prevent-deter-deauthentication-attacks-19607 /
Regards,

How secure is Safari?

I've read that isn't that secure that we all think, for instance concerning phishing attacks (is there really filter within Safari?). so how secure is Safari (for banking transactions and more) really?

Hi
Welcome to Apple Discussions
Phishing occurs when a misdirect to a fradulent site is built-in to a link via either an E-mail or web-site. No browser is 100% immune to this problem. Best defense is to avoid opening links in e-mails, especially those sent from Banks, Credit Card companies, etc. Also, reporting the e-mail to the affected web site hosts or security is very helpful.
Safari is as secure as any other browser. Its encryption meets current industry standards followed by lending institutions etc. I have no qualms using this browser for any https site, as long as the certificate of the site is up-to-date and valid (Safari will tell you if it's not).
To ensure I am opening a valid site address, I use 1Password. This is a 3rd party supplement to Apple's Keychain which adds another level of security.

How predictable are Safaris password suggestions?

I wonder if password suggestions, which are made by Safari in Mavericks are predictible and thus attacable. Has anyone any clue on this issue, how safe the usage of those passwords are?
Thanks!

No one outside Apple knows the answer. If you don't trust the built-in password generator, see below.
One way to generate a secure password is the following. Triple-click anywhere the line below on this page to select it:
openssl rand -base64 10 | cut -c-14 | open -ef
Copy the selected line to the clipboard by pressing the key combination command-C. Launch the Terminal application and paste into the window that opens (command-V). A string of 14 random characters will appear in a TextEdit window. Use that string, or a substring, as the password. To generate another random string, press the up-arrow key and then the return key with the Terminal window active. You can then quit Terminal.

How safe is a hidden, closed Airport?

Because the new Airport n doesn't work with xbox when security is enabled, I'm thinking of just make it a closed airport and hidden. No security. The kids two xbox's will work then.
But how safe am I with a closed no encription network?
MacBook Pro 2.0ghz Mac OS X (10.4.9) 2gig of Ram/160GB HD

It's not very safe against someone who knows what they're doing. The SSID can be discovered rather easily and even if you enable MAC addres filtering, the MAC address can be easily spoofed.

How to have Safari links always open in same window

I've been researching how to have Safari always open links in the same window, but it appears this can't be done? I've seen this third party app, but am afraid of installing something that doesn't come from the app store because it might harm my macbook. Does anyone have any thoughts about how to have links always open in the same window? Or how to find out if I can trust this app:
http://canisbos.com/linkthing

You can reset the folio by triple tapping the title in the nav bar.
Bob

Safari App deleted. How to restore Safari on iPhone without restoring to backup?

I was trying to back up my phone using iTunes and not sure how, but the Safari is no more on my phone.
How do I restore / re-install the Safari App without having to restore my phone?
I have my work email configured and don't want to go through the configurations all over again and deal with the Support Personnel for that.
Any help on this is greatly appreciated. Please help!
Thanks
VJ

But I just have gone in and Reset my Home Screen Layout but still no success.
Even the Search on the phone doesn't show the App or details.
Any idea what needs to be done?
Thanks
VJ

Each time I start Firefox it says: "URGENT! Your version of Firefox is no longer protected against online attacks. Get the upgrade - it's fast and free!" I am using ver. 3.6.13 and upgrading "successfully" only stays on 3.6.13 with same URGENT message.

Each time I start Firefox it says:
"URGENT! Your version of Firefox is no longer protected against online attacks. Get the upgrade - it’s fast and free!"
I am using ver. 3.6.13 and upgrading "successfully" only stays on 3.6.13 with same URGENT message.

Your UserAgent string in Firefox is messed up and needs to be reset. 
[http://en.wikipedia.org/wiki/User_Agent]
type '''about:config''' in the URL bar and hit Enter 
''If you see the warning, you can confirm that you want to access that page.'' 
Filter ='''general.useragent.''' 
Right-click the preferences that are '''bold''', one line at a time, and select ''' ''Reset'' ''', 
Then restart Firefox

How to parse XML against XSD,DTD, etc.. locally (no internet connection) ?

i've searched on how to parse xml against xsd,dtd,etc.. without the needs of internet connection..
but unfortunately, only the xsd file can be set locally and still there needs the internet connection for the other features, properties.
XML: GML file input from gui
XSD: input from gui
javax.xml
package demo;
import java.io.File;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import javax.xml.XMLConstants;
import javax.xml.transform.Source;
import javax.xml.transform.stream.StreamSource;
import javax.xml.validation.Schema;
import javax.xml.validation.SchemaFactory;
import javax.xml.validation.Validator;
import org.xml.sax.SAXException;
public class Sample1WithJavaxXML {
 public static void main(String[] args) {
 URL schemaFile = null;
 try {
 //schemaFile = new URL("http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd");
 File file0 = new File("AppSchema-C01-v1_0.xsd");
 schemaFile = new URL(file0.toURI().toString());
 } catch (MalformedURLException e1) {
 // TODO Auto-generated catch block
 e1.printStackTrace();
 //Source xmlFile = new StreamSource(new File("web.xml"));
 Source xmlFile = new StreamSource(new File("C01.xml"));
 SchemaFactory schemaFactory = SchemaFactory
 .newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
 //File file1 = new File("XMLSchema.dtd");
 //SchemaFactory schemaFactory = SchemaFactory
 //.newInstance("javax.xml.validation.SchemaFactory:XMLSchema.dtd");
 Schema schema = null;
 try {
 schema = schemaFactory.newSchema(schemaFile);
 } catch (SAXException e1) {
 // TODO Auto-generated catch block
 e1.printStackTrace();
 Validator validator = schema.newValidator();
 try {
 validator.validate(xmlFile);
 System.out.println(xmlFile.getSystemId() + " is valid");
 } catch (SAXException e) {
 System.out.println(xmlFile.getSystemId() + " is NOT valid");
 System.out.println("Reason: " + e.getLocalizedMessage());
 } catch (IOException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
}Xerces
package demo;
import java.io.File;
import java.util.Date;
import org.apache.xerces.parsers.DOMParser;
public class SchemaTest {
 private String xmlFile = "";
 private String xsdFile = "";
 public SchemaTest(String xmlFile, String xsdFile) {
 this.xmlFile = xmlFile;
 this.xsdFile = xsdFile;
 public static void main (String args[]) {
 File file0 = new File("AppSchema-C01-v1_0.xsd");
 String xsd = file0.toURI().toString();
 SchemaTest testXml = new SchemaTest("C01.xml",xsd);
 testXml.process();
 public void process() {
 File docFile = new File(xmlFile);
 DOMParser parser = new DOMParser();
 try {
 parser.setFeature("http://xml.org/sax/features/validation", true);
 parser.setFeature("http://apache.org/xml/features/validation/schema", true);
 parser.setProperty("http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation",
 xsdFile);
 ErrorChecker errors = new ErrorChecker();
 parser.setErrorHandler(errors);
 System.out.println(new Date().toString() + " START");
 parser.parse(docFile.toString());
 } catch (Exception e) {
 System.out.print("Problem parsing the file.");
 System.out.println("Error: " + e);
 System.out.println(new Date().toString() + " ERROR");
 return;
 System.out.println(new Date().toString() + " END");
}

Thanks a lot Sir DrClap..
I tried to use and implement the org.w3c.dom.ls.LSResourceResolver Interface which is based on the SAX2 EntityResolver.
please give comments the way I implement it. Here's the code:
LSResourceResolver Implementation
import org.w3c.dom.ls.LSInput;
import org.w3c.dom.ls.LSResourceResolver;
import abc.xml.XsdConstant.Path.DTD;
import abc.xml.XsdConstant.Path.XSD;
public class LSResourceResolverImpl implements LSResourceResolver {
 public LSResourceResolverImpl() {
 * {@inheritDoc}
 @Override
 public LSInput resolveResource(String type, String namespaceURI, String publicId, String systemId, String baseURI) {
 ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
 LSInput input = new LSInputImpl(publicId, systemId, baseURI);
 if ("http://www.w3.org/2001/xml.xsd".equals(systemId)) {
 input.setByteStream(classLoader.getResourceAsStream(XSD.XML));
 } else if (XsdConstant.PUBLIC_ID_XMLSCHEMA.equals(publicId)) {
 input.setByteStream(classLoader.getResourceAsStream(DTD.XML_SCHEMA));
 } else if (XsdConstant.PUBLIC_ID_DATATYPES.equals(publicId)) {
 input.setByteStream(classLoader.getResourceAsStream(DTD.DATATYPES));
 return input;
}I also implement org.w3c.dom.ls.LSInput
import java.io.InputStream;
import java.io.Reader;
import org.w3c.dom.ls.LSInput;
public class LSInputImpl implements LSInput {
 private String publicId;
 private String systemId;
 private String baseURI;
 private InputStream byteStream;
 private String stringData;
 public LSInputImpl(String publicId, String systemId, String baseURI) {
 super();
 this.publicId = publicId;
 this.systemId = systemId;
 this.baseURI = baseURI;
 //getters & setters
}Then, here's the usage/application:
I create XMLChecker class (SchemaFactory implementation is Xerces)
import java.io.File;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import javax.xml.XMLConstants;
import javax.xml.stream.FactoryConfigurationError;
import javax.xml.transform.Source;
import javax.xml.transform.stream.StreamSource;
import javax.xml.validation.Schema;
import javax.xml.validation.SchemaFactory;
import javax.xml.validation.Validator;
import org.xml.sax.ErrorHandler;
import org.xml.sax.SAXException;
import org.xml.sax.SAXParseException;
import abc.xml.XsdConstant.Path.XSD;
public class XMLChecker {
 private ErrorMessage errorMessage = new ErrorMessage();
 public boolean validate(String filePath){
 final ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
 List<Source> schemas = new ArrayList<Source>();
 schemas.add(new StreamSource(classLoader.getResourceAsStream(XSD.XML_SCHEMA)));
 schemas.add(new StreamSource(classLoader.getResourceAsStream(XSD.XLINKS)));
 schemas.add(new StreamSource(classLoader.getResourceAsStream("abc/xml/AppSchema.xsd")));
 SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
 schemaFactory.setResourceResolver(new LSResourceResolverImpl());
 try {
 Schema schema = schemaFactory.newSchema(schemas.toArray(new Source[schemas.size()]));
 Validator validator = schema.newValidator();
 validator.setErrorHandler(new ErrorHandler() {
 @Override
 public void error(SAXParseException e) throws SAXException {
 errorMessage.setErrorMessage(e.getMessage());
 errorMessage.setLineNumber(e.getLineNumber());
 errorMessage.setColumnNumber(e.getLineNumber());
 throw e;
 @Override
 public void fatalError(SAXParseException e) throws SAXException {
 errorMessage.setErrorMessage(e.getMessage());
 errorMessage.setLineNumber(e.getLineNumber());
 errorMessage.setColumnNumber(e.getLineNumber());
 throw e;
 @Override
 public void warning(SAXParseException e) throws SAXException {
 errorMessage.setErrorMessage(e.getMessage());
 errorMessage.setLineNumber(e.getLineNumber());
 errorMessage.setColumnNumber(e.getLineNumber());
 throw e;
 StreamSource source = new StreamSource(new File(filePath));
 validator.validate(source);
 } catch (SAXParseException e) {
 return false;
 } catch (SAXException e) {
 errorMessage.setErrorMessage(e.getMessage());
 return false;
 } catch (FactoryConfigurationError e) {
 errorMessage.setErrorMessage(e.getMessage());
 return false;
 } catch (IOException e) {
 errorMessage.setErrorMessage(e.getMessage());
 return false;
 return true;
 public ErrorMessage getErrorMessage() {
 return errorMessage;
}Edited by: erossy on Aug 31, 2010 1:56 AM

How safe to go for 9iAS in Windows.

Hi Guys
Good Day Guys? We are planning for Migration from 6i to 9i with 9iAS. How safe is it to go for 9iAS? What are the major problem faced during migration?
Thanks for your help
Diogo

I would like to add couple of things - based on my recent experince.
We have a client/server 6i forms/reports application running on Linux and Solaris, which I have recently ported to iAS 10g (9.0.4). My biggest issue was the fonts and icons, but the entire application (more forms , less reports than you have) took only a week. Still have problem with the graphics - still depends on the 6i graphics :( -- most of the charts are now in reports. There are some "form properties" that are obsolete now, and on linux non of the vbx, etc is supported. I am not sure that applies to the windows version of iAS.
You should also consider licensing. If you are licensed for full stack of iAS EE (includes forms/reports services), then you better utilize single sign on (for added security) and portal, etc. I really liked the portal capabilities. If you only licensed for the Forms/Reports services, then you have no other option (and no headache for sso, infra metadata repository, etc) by default.
For training, I took some courses from Oracle. One of them was the iAS administrator I course. In that particular course, they do not teach deploying forms at all. And if you only deploy Forms/Reports services, I don't thing the iAS administrator II (second part of the course) will not worth the money - they have a CD based offering for that and I think for ~400$ that is a better deal. I was able to deploy our forms/reports on iAS with not too much of a problem (after reading the manuals and white papers from OTN/Metalink). If you are licensed for full stack, then Portal class is really nice - I highly recommended (I can even suggest a particular instructor if you are interested). Oracle also has a class teaching how to develop java by using JDeveloper. That might be very useful for your java programmer/s - given that JDeveloper is now free and includes Oracle Application Development Framework. Even if you are not going to use the full stack of iAS, knowing JDeveloper is nice to complement Forms applications.
Another thing is that certain version of Windows OS (2003 server) might be required to run Forms/Reports Services. There is a FAQ pdf file on OTN, also it a certification matrix is available on Metalink (if you have a valid CSI# you can open an account on Metalink).
hope this proves useful.

Our software vendor tells to use FF 3.5.1. because of some printer issues with their web based program. How safe is it to work with FF 3.5.1 in 2012?

Our software vendor tells to use FF 3.5.1. because of some printer issues with their web based program. How safe is it to work with FF 3.5.1 in 2012?

Thanks for the reply. I'll have a look at your solution.

How safe is Safari against XSS attacks?

Similar Messages

Maybe you are looking for