Actually with more and more attack vectors found online, in-browser protection is something every user cannot go without. In my browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090315 Minefield/3.2a1pre ID:20090315050013 I use NoScript, RequestPolicy, Perspectives, CSP and firekeeper with some malware lists installed, when I test against protection against xss(cross site scripting) vulnerabilities it is either firekeeper or NoScript that alert me that they have protected the browser. A good testing site I found here:
hxxp://www.xssing.com/index.php?x=1 Pick an attack vector there and then click Test it!
(These tests are only to be performed by users that use Firefox or Flock browsers and have NoScript or firekeeper with the xss ruleslist installed, for other I have made the link non-clickable!)
Are we protected all around by NoScript? I guess we are, but without it, and in another browser?
One give away firekeeper got them all, inside firekeeper I run following rules lists: #Experimental Firekeeper rules. by Alexander Sotirov, the list from malware.hiperlinks.com, the www.malware.com.br aggressive list and the most important here: http://firekeeper.mozdev.org/rules/XSS.fk
You should test for these XXS/Cross Site Scripting Vulnerabilities with the XXS-Me add-on, because see the results of a vulnerable site:
Test Results
XSS Heuristic Test Results
; \ / < > " ’ =
unamed form::search term
unamed form::button
The character was found unencoded in the result page.
The character was not found unencoded in the result page.
XSS String Tests Summary (18 tests executed)
Failures:
0
Warnings:
7
Passes:
11
XSS String Test Results
search term
Submitted Form State:
* button: Search
Results:
The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.
Tested value: <SCRIPT document.vulnerable=true;
The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.
Tested value: <
The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.
Tested value:
The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.
Tested value:
The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.
Tested value:
The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.
Tested value:
The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.
Tested value:
DOM was not modified by attack string. Field does not appear vulnerable to XSS String
Tested value: <SCRIPT document.vulnerable=true;
The unencoded attack string was not found in the html of the document.
Tested value: <BODY onload!#$%&()*~±_.,:;?@[/|]^=document.vulnerable=true;> DOM was not modified by attack string. Field does not appear vulnerable to XSS String Tested value: <BODY onload!#$%&()*~+-_.,:;?@[/|\]^=document.vulnerable=true;>
The unencoded attack string was not found in the html of the document.
Tested value:
DOM was not modified by attack string. Field does not appear vulnerable to XSS String
Tested value: <
DOM was not modified by attack string. Field does not appear vulnerable to XSS String
Tested value:
DOM was not modified by attack string. Field does not appear vulnerable to XSS String
Tested value:
DOM was not modified by attack string. Field does not appear vulnerable to XSS String
Tested value:
DOM was not modified by attack string. Field does not appear vulnerable to XSS String
Tested value:
DOM was not modified by attack string. Field does not appear vulnerable to XSS String
Tested value:
DOM was not modified by attack string. Field does not appear vulnerable to XSS String
Tested value:
I’m not a web developer, so I don’t have any need to use the XSS Me extension to test a web site. It was fun to test it out on the Mozilla Firefox Start Page. It passed 72 tests with no failures or warnings. Whew!
Using your obfuscated test site with various attack vectors wasn’t very interesting though. I had to allow javascript on xssing.com just to get to the point where NoScript sanitized the suspicious looking attack strings. Boring.
I’m trying it out on IE7 now. I don’t see anything bad happenin
What is your opinion about this reaction, I received:
what about XSS Assistant ?
"The goal of this script is to allow users to easily test any web for cross-site-scripting flaws. The script aims to do this by providing an easy to use menu by any form. It should be noted that although I may refer only to forms for the rest of the description, the script does also allow the user to test the current variables in the url bar for cross site scripting flaws. While this script does help a user find an XSS flaw it cannot really be used without understanding what an XSS flaw is. If you do not yet understand XSS flaws, I suggest you read up on it."
This script can test for multiple vectors from RSnake's XSS Cheat Sheet and from another one by mario, it can also be used to notify the XSS directly to xssed.com. We suggest that you take a look at this script as it can be very useful to search for XSS holes.
CSP, very important to install because browser and server are (if this is fully implied for IE and Mozilla browser and various servers alike) going to work hand in foot, so the browser will know what to expect and allow from the server and v.v., so third party interference will be excluded much easier,