Check a site for XSS vulnabilities with XSS Rays

Discussion in 'other anti-malware software' started by Windows_Security, Dec 12, 2014.

  1. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    I don't like micro managing my browser. Therefore not a fan of Noscript. I have to be fair, and give the author of Noscript the credit that his ideas are implemented in most modern browsers: https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-stock.pdf and http://blog.chromium.org/2010/01/security-in-depth-new-security-features.html


    XSS is a server side problem, see http://www.computerweekly.com/tip/Cross-site-scripting-explained-How-to-prevent-XSS-attacks.

    It is impossible to solve it on client side and keeping all functionality intact. See for instance http://blog.elevenpaths.com/2014/01/how-to-bypass-antixss-filter-in-chrome.html This iframe Poc could be easily prevented using uBlock of Gorhill and prevent third party iFrames. Anti-exploit testing

    Blocking only iFrames won't break functionality of 99% of the websites, while increasing security. For those wanting a granular control use uMatrix. The matrix interface of uMatrix might look complex, but the two dimensional rules matrix reduces the number of exception rules greatly (compared to a one dimensional exception list like Noscript uses for instance).

    For the nerds and the paranois among us (the default at Wilders I guess), there is a nice Chrome extension intended for penetration testing which can also be used to check a site for XSS vulnabilities: XSS Rays explained at http://www.thespanner.co.uk/2011/01/21/xss-rays-extension/ and https://github.com/beefproject/beef/wiki/Xss-Rays

    You can test a site with the default PoC: see image below:
    1. Click on the X-icon when visiting a site
    2. Choose SCAN from the menu
    3. Click Extract links
    4. Select All or the (same domain) links you would like check
    5. Click Run XSS injector



    Have fun


    XSS Rays.png
     
    Last edited: Dec 12, 2014