Here we have some malscript codes, that are being flagged by Firekeeper in the Mozilla browser.
Sometimes when you find code online, it is a good policy to feed it into the Google search engine and see if firekeeper alert and flags the exploit attempts. In this process one learns about malcode and to what purpose it is abused, to detect it better and be better protected against it.
I give you two examples:
Another couple of examples, where using the characters instead may fool the filters and allow XSS to work, some detection rules, and examples of fully decoded, where we used this tool to see what unpacked it has in store for us: http://www.strictly-software.com/unpack-javascript.aspx
For the fans I have attached the examples in a txt file,
I give some examples of how it was flagged in my browser in the attached txt file, the rest of the testing can be done by users here that have firefox or flock with Firekeeper, NoScript and the Netcraft toolbar installed, they should nip all these attempts in the bud,
A very nice article about the threat of XSS vulnerabilities on a website is here: http://blogs.apache.org/infra/entry/apache_org_04_09_2010
Every leak means a potential threat, when valuable information resides on a particular web site. The effect of an XSS-leak is directly related to the nature of that website (valuable data). For website owners input validation and the secure use of PHP, Perl, etc. are measures they should take against XSS, SQL-attacks and buffer overflows, the consumer can feel secure with NoScript active in the browser, the XSS attack will have ended before it has begun,
As an example one of then flagged as:
=== Triggered rule ===
alert(url_content:“%3C”; url_content:“%22”; url_content:“%3E”; msg:“Suspicious looking GET request containing %3C, %3E, and %22. Suspiciously HTML-like.”; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
One example of a rule flagged by Firekeeper:
=== Triggered rule ===
alert(url_content:“%3C”; url_content:“%22”; url_content:“%3E”; msg:“Suspicious looking GET request containing %3C, %3E, and %22. Suspiciously HTML-like.”; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
Click the above link and you will get an XSS warning through the NoScript extension (if you have that installed)
About making up your own firekeeper rules: Firekeeper rules are made of two parts: Rule header and Rule options. The header defines three actions that can be taken whenever a rule match is detected: pass, drop, and alert. Whenever a ‘pass’ action rule match occurs, it allows processing of HTTP traffic without going for any further checks. Likewise, ‘drop’ action blocks all traffic without any user intervention, and ‘alert’ generates an Alert window.
The Rule options describe what should trigger an action and other information about the rule. There are three choices: url_content, headers_content, and body_content. Creating a rule is simple. open a text file and write
In the body_content tag specify the content that you want to scan in the incoming traffic, and in the msg tag define the message that should be displayed when such content is detected. nocase tag signifies that the content specified in the body_content tag will be searched without any arguments,
If you like you can use it as a User Agent in User Agent Switcher an extension for Firefox and Flock browser. Sometimes this can also be a way to avoid browser bugs,