- XSS ME: Cross-Site Scripting (XSS) is a common flaw found in todays web applications. XSS flaws can cause serious damage to a web application. Detecting XSS vulnerabilities early in the development process will help protect a web application from unnecessary flaws. XSS-Me is the Exploit-Me tool used to test for reflected XSS vulnerabilities.
- Improved Firefox Preview (Fenix) / Firefox for Android UI. Completely asynchronous XSS Filter in its dedicated process Several new and updated translations, thanks to the Localization Lab / OTF NoScript Transifex project. 'Override Tor Browser Security Level preset' option offers more flexibility to NoScript+Tor power users. More in the changelog.
- So if your exploitable page is the top for some random keyword (as you see here) you can use that feature against any Firefox user. This uses Firefox’s keyword: protocol. You can concatenate several keywords by using something like the following keyword:XSS+RSnake for instance. This no longer works within Firefox as of 2.0.
- 2009-02 XSS using a chrome XBL method and window.eval 2009-01 Crashes with evidence of memory corruption (rv:1.9.0.6) # Fixed in Firefox 3.0.5 2008-69 XSS vulnerabilities in SessionStore 2008-68 XSS and JavaScript privilege escalation 2008-67 Escaped null characters ignored by CSS parser.
Tamper data is a great tool to view and modify HTTP/HTTPS headers and post.
Add-on for FireFox - Find-XSS-Fire
There are many scanners selecting parameters in the address bar on the Internet. Most of them are paid and not cheap. But none of them is a browser extension. We decided to fill this gap. Meet the beta version of the scanner Find-XSS-Fire. Certainly it isn’t as powerful as our online scanner, but it is able to find something that could be missed. Besides it is absolutely free. The following is a description of the installation and use:
Download (install) here, version 0.0.4
Installation:
Warning: scanning may damage the work of the resource, it is recommended to scan on localhost!
1. Drag the downloaded file into the FireFox browser and accept the installation.
2. The scanner icon should appear in the lower right corner (see the screenshot).
If not, then the lower toolbar for add-on is disabled.
To enable it do: View-> Toolbars-> Add-on Bar (or just ctrl + /, but the keys do not operate at all systems).
3. Indicate the URL of your website or a local address in the opened window.
4. Indicate the level of scanning (3 is recommended).
5. The scanner is allowed to scan only your websites. Any scanning of third-party products is prohibited and leads to criminal liability. If you are scanning your site, confirm it by checking the box.
6. After clicking on the scan the scanner starts.
7. Wait for the scan results. It may take to a few hours, depending on the speed of response of your server and the level of nesting.
When finding vulnerabilities you can contact us to remove them.
Status
| XSS Filter | |
| Stage | Definition |
| Status | In progress |
| Release target | ` |
| Health | OK |
| Status note | Testing feasibility. |
Team
| Product manager | Sid Stamm |
| Directly Responsible Individual | Sid Stamm |
| Lead engineer | Riccardo Pelizzi |
| Security lead | Curtis Koenig |
| Privacy lead | Sid Stamm |
| Localization lead | ` |
| Accessibility lead | ` |
| QA lead | ` |
| UX lead | ` |
| Product marketing lead | ` |
| Operations lead | ` |
| Additional members | ` |
Open issues/risks
- [ON TRACK] Complete C++ implementation
- [NEW] Test the feature in the Aurora channel to assess its compatibility with existing websites.
- [NEW] Measure the average overhead of the filter? (Can we use telemetry to find this out?)
Stage 1: Definition
1. Feature overview
This feature provides protection from reflected XSS attacks -- these are the attacks where a malicious person inserts a script into a URL, and a vulnerable page reflects the contents of the URL into a page (where the script is run). If a user is tricked into visiting such URL, the attacker code runs in the domain of the page reflecting it and has therefore access to sensitive information for the domain (such as cookies). A filter can identify which portions of JavaScript code are generated from input parameters (such as the URL) and refuse to execute scripts containing such portions. Unlike its competitors, this filter attempts to account for arbitrary input transformation (using an approximate substring matching algorithm) and injection of malicious code into preexisting scripts (partial injection).
The picture shows how the filter interacts with the rest of the browser: it is tightly integrated into the Mozilla framework and it is able to interpose on calls to the JavaScript engine, which happens either when (a) a <script> node or some other HTML construct is parsed by the HTML engine, (b) JavaScript evaluates strings as code (e.g. using eval or setTimeout) or (c) JavaScript uses the DOM API to generate new HTML content that is fed into the parser.
2. Users & use cases
`
3. Dependencies
`
4. Requirements
The goal of this feature is to automatically protect users from reflected XSS attacks. Characteristics:
- The filter should have low overhead. We are currently implementing it in plain C++, avoiding XPCOM overhead where possible.
- The filter should have almost no false positives (that is, it should not break existing websites in absence of an actual attack).
- The filter should not rely on user input. A false positive cannot be considered a 'minor annoyance' just because the user can be shown a dialog to decide whether to actually block the script. In fact, if the filter is compatible enough, it should not be easily disabled.
- The filter should not introduce new vulnerabilities in existing websites (i.e. universal XSS a la IE8).
Non-goals
- This feature will not stop persistent or injected XSS attacks (only reflected ones).
- The filter will not be able to deal with complex string transformations employed by web applications. In this case, it will fail to recognize that the script was provided by an input parameter and allow it to run.
Stage 2: Design
5. Functional specification
`
6. User experience design
`
Stage 3: Planning
7. Implementation plan
`
8. Reviews
Security review
Privacy review
`
Localization review
`
Accessibility
`
Quality Assurance review
`
Operations review
`
Stage 4: Development
9. Implementation
Stage 5: Release
10. Landing criteria
`
Feature details
Xss Me For Firefox Youtube
| Priority | P3 |
| Rank | 999 |
| Theme / Goal | Product Hardening |
| Roadmap | Security |
| Secondary roadmap | Platform |
| Feature list | Platform |
| Project | ` |
| Engineering team | Security |
Team status notes
| status | notes | |
| Products | ` | ` |
| Engineering | ` | ` |
| Security | sec-review-active | Needs a 2nd review meeting |
| Privacy | ` | ` |
| Localization | ` | ` |
| Accessibility | ` | ` |
| Quality assurance | ` | ` |
| User experience | ` | ` |
| Product marketing | ` | ` |
| Operations | ` | ` |
- IE8 filter: based on regexps, it is basically a proxy (even though it lives in the browser process) that mangles scripts if they are deemed malicious. Sanitizing the attack through mangling is very dangerous, because it might affect the way the rest of the page is parsed. This made an attack possible on an earlier version of the filter.
- NoScript XSS filter: this popular Firefox add on comes with an XSS filter. However, the extension interface does not allow developers to predicate on the content of scripts; therefore, NoScript can only detect suspicious patterns in the URL that may represent HTML or JavaScript code, without actually confirming that the maliocious code appears on the page without being properly sanitized.
- Chrome XSS Filter: Webkit integrates an XSS filter called XSSAuditor. Unlike IE8, it is tightly integrated into the browser, interposing on calls to the JavaScript engine. This allows Chrome to easily sanitize malicious content without resorting to mangling, and improves the filter's accuracy with respect to identifying what content is interpreted as script by the browser. Moreover, it also automatically extends the protection to DOM-Based XSS attacks. Firefox's filter is based on this design.
Research References:
- Chrome XSS paper: Bates, D., Barth, A., & Jackson, C. (2010). Regular expressions considered harmful in client-side XSS filters. Proceedings of the 19th international conference on World wide web - WWW 2010 (p. 91). New York, New York, USA: ACM Press. doi: 10.1145/1772690.1772701.
- BEEP (first solution to use JS interposition): Jim, T., Swamy, N., & Hicks, M. (2007). Defeating script injection attacks with browser-enforced embedded policies. of the 16th international conference on, 601. New York, New York, USA: ACM Press. doi: 10.1145/1242572.1242654.
- Attack on IE8: Nava, E., & Lindsay, D. (2010). Abusing internet explorer 8's XSS filters. BlackHat Europe.
- Implementation of the Approximate String Matching algorithm: Sekar, R. (2009). An efficient black-box technique for defeating web application attacks. NDSS 2010.