XSS Filters IE8 and IE9 vs. Lead Generating Advertisements.
Cost Per Leads Advertisements maybe sending mixed messages to your sites visitors.
When it comes to internet advertisements I can’t say enough about the subject. I ran websites for years without ads and then start experimenting with advertisements. You might not agree with my findings but when I added my own internal ads in the same places as the big well known websites do I noticed a page time increase of about 35%. I’ll write about my tests that I did before 2005 and after 2005 in another article but to set the flow of this article I concluded that people grew to expect advertisements and many expected to see them or they might have thought they were not on a professional website. This is my opinion for non-technical resource websites and every eCommerce site.
With that said, I run both internal advertisements and external. I monitor the external ads to make sure I’m not getting smiley face download junk and ringtones. But I also run a check to see if an ad network has been offering up viruses. You can find many malformed ad links in your server logs and from visitor feedback.
The other day one advertiser using a different network that what I usually allow ran what is called a Cost per Lead advertisement. I’ve seen them before on other sites and thought they were interesting and might actually be helpful instead of annoying like so many ads are.
When my page loaded I found IE 9 blocked a script using the XSS Filter which protects against cross site scripting. (I’ll link a video for you if cross site scripting is new to you.)
The nice thing IE did was it placed a Hash “#” symbol in place of the ad with the ads link. From the link you could find what IE detected and what caused me to block this ad network. I’m Ok with allot of things but this system isn’t transparent enough for me to allow on any website that I manage.
The script was to collect data, IE 9 thought it was an XSS script and if you watched the video it might be recording your keystrokes while you are on the page. But I’m just speculating because I haven’t had time to reverse the process to see what they might be collecting outside of the 2 form fields the advertisement displayed.
My concern is that if the script runs rogue it could be collecting more than what is displayed. I have the code in a text doc linked near the bottom of this page.
The marketing approach is correct in my opinion but the method used is not what I believe is the best.
One thing that I did notice was the size of the file, 40,000 + character script. I believe the way the Cost Per Lead scripts work is the form starts in the advertisement and then continues at the advertisers page. But why would all the fields be included in the advertisement and why are the field names like Credit Card, First Name, Last Name included inside the advertisement?
This again is only speculation but in my opinion if the script is a XSS and additional fields are place that might be common to other sites it could actually mirror as shown in Microsoft’s video.
I have my reservations about this form of advertisements now and would like to remind webmasters and site developers that you have the final say to what is show in your site.
My favorite is Google but that wasn’t a Love at first Sight, not in the least. In fact, I wrote an article about a subject that got me sandboxed before Sandbox was a buzz word. I’m not going to talk about what it was but today let’s say Google is now so transparent with its offering of management tools my article would not be accurate. But before 2005 I still believe I was dead on with my conclusions.
Here are the issues webmasters should in my opinion take into consideration.
- Ad networks running scripts that trigger security alerts.
- Ad networks that encourage download with only the word “Download” in the ad.
- Ad networks that offer images of products with no additional information. (appears as if it’s your product)
- Ad networks that allow I Framed 3rd level HTML injection. (Typically virus drive by providers do this. Read the Drive By Virus in the My Virus Infection.)
It’s not easy controlling something that isn’t totally in your control. You have to browse your own website and offer your visitors a method of contacting you about malformed and misleading ads. I ask for screen shots that help me identify who they are and with the “Transparency” now offered in the management sections I can actually see the advertisement in question and then take action to block it and or block the ad network.
When you search for answers about this subject you might not find what you need. It’s difficult when you are not a super user client and only a small town blogger. If you block something will something bad happen? No and Yes, you have to read and weigh the results in percentages and time. (Read your reports)
In closing I feel as a technician that any advertisement that appears to be aggressive in nature like Shockwave Cookies, Virus injections, data mining using cross site scripting should be blocked from your sites.
I know it’s important that advertisers gather information about us so they can sell products and services but allow me to complete the form on my own and don’t look for data in my computer without asking me first.
Have fun, watch your advertisers and listen to your visitors.
XSS Article links with Microsofts Video explaining XSS in detail for computer users of all levels. (If you don't believe it can happen to you read any article about the Nimda virus)
Text Document displaying full HTML code of advertisement that triggered the XSS alert. (I will post this once I am sure all identifiable information has been removed.)