Freigeben über


XSSDS

Björn Engelmann, Joachim Posegga, and LocalRodeo developer Martin Johns have authored an excellent paper on a new Cross-site Scripting detection system called XSSDS.  Stay tuned to noxss.org for a new browser extension based on this technology.  The XSSDS approach is similar in some ways to the IE8 XSS Filter approach, although it's worth noting that until recently Martin's team had no knowledge of our work in this space (and vice versa).

Comments

  • Anonymous
    September 30, 2008
    PingBack from http://www.easycoded.com/xssds/

  • Anonymous
    October 01, 2008
    From the PDF:- "No absolute URL can be shorter than 10 characters: The mandatory http:// consumes 7, and no regular domain shorter than 3 characters can be set up." That's no strictly true, rsnake showed a technique to use external urls without http:// e.g. //domain.com

  • Anonymous
    October 01, 2008
    Hey Gareth, we were aware of such urls. All external script-urls which use this scheme are alerted by default without subsequence matching, as we could not envision any legitimate usage besides filter evasion. We omitted a discussion of this border-case in the paper for brevity reasons.

  • Anonymous
    October 02, 2008
    The comment has been removed

  • Anonymous
    October 03, 2008
    (14) ",eval(name)// or technically the shortest poss is:- (8) URL=name But that requires the onclick context of a link:- <a href=# onclick="URL=name">test</a>

  • Anonymous
    October 16, 2008
    a {color : #0033CC;} a:link {color: #0033CC;} a:visited.local {color: #0033CC;} a:visited {color : #800080;}