Exploitable Web Content Blocking Test


JavaScript

Although it is the main client-side scripting language of the internet, JavaScript opens up a lot of potential attack vectors.

JavaScript can easily be blocked by default in your browser settings or using a plugin such as NoScript, and then whitelisted on a per-site basis. This allows you to maintain full web functionality as well as the security of having it disabled by default.

The main reason for blocking JavaScript is to protect against compromised and malicious websites.


iFrames

iFrames allow an external document to be loaded within a frame on a webpage. This means that potentially malicious content could be loaded in the background without your knowledge, even though your URL bar displays a trusted site.

In order to block iFrames with AdblockPlus (or another ad blocker that supports the same syntax), add the following to your filters:

*$subdocument,domain=~whitelisted.tld|~two.tld|~three.tld

You can whitelist as many domains as you like using the method above. Unfortunately blocking iFrames will break Google reCAPTCHAs, so you'll need to whitelist websites where you need to use them.


PDFs

The most well known PDF reader, Adobe Reader, frequently has vulnerabilities and is the main target for PDF-borne malware. The Google Docs PDF viewer is a good alternative, since it will parse the PDF file and display it as HTML, so any malicious payloads should not get through.

In order to block PDFs with AdblockPlus (or another ad blocker that supports the same syntax), add the following to your filters:

*.pdf

This will only block embedded PDF documents. Direct links or downloadable PDF documents will not be blocked.


Objects

Objects are another form of subdocument or embedded content, so there is a lot of crossover when it comes to blocking them.

HTML documents displayed within objects are very similar to iFrames, so they are blocked by the same filter. Multimedia content such as PDFs or Flash that are displayed within an object are also blocked by their corresponding filters. However, you should still block all objects, just to be safe!

In order to block objects with AdblockPlus (or another ad blocker that supports the same syntax), add the following to your filters:

*$object

You can also whitelist domains using the same method as described above. One example is Google Earth, which will need to be whitelisted in order to work properly.