Check a site for XSS vulnabilities with XSS Rays

Discussion in 'other anti-malware software' started by Windows_Security, Dec 12, 2014.

  1. I don't like micro managing my browser. Therefore not a fan of Noscript. I have to be fair, and give the author of Noscript the credit that his ideas are implemented in most modern browsers: and

    XSS is a server side problem, see

    It is impossible to solve it on client side and keeping all functionality intact. See for instance This iframe Poc could be easily prevented using uBlock of Gorhill and prevent third party iFrames. Anti-exploit testing

    Blocking only iFrames won't break functionality of 99% of the websites, while increasing security. For those wanting a granular control use uMatrix. The matrix interface of uMatrix might look complex, but the two dimensional rules matrix reduces the number of exception rules greatly (compared to a one dimensional exception list like Noscript uses for instance).

    For the nerds and the paranois among us (the default at Wilders I guess), there is a nice Chrome extension intended for penetration testing which can also be used to check a site for XSS vulnabilities: XSS Rays explained at and

    You can test a site with the default PoC: see image below:
    1. Click on the X-icon when visiting a site
    2. Choose SCAN from the menu
    3. Click Extract links
    4. Select All or the (same domain) links you would like check
    5. Click Run XSS injector

    Have fun

    XSS Rays.png
    Last edited by a moderator: Dec 12, 2014