After much procrastination on my behalf, I finally sat down and tested Firefox 2.0 from start to finish with the attack vectors from the XSS Cheat Sheet. The results were actually not that interesting believe it or not. For the most part Firefox 2.0 looks exactly like Firefox 1.5 in terms of security against cross site scripting vectors. I was actually surprised there wasn’t more variation between the two revisions, to be honest. The really interesting part was when it got to the URL string evasion tests.

Just when I thought I was about done with my testing Firefox 2.0 throws me a curve ball and changes how the Feeling Lucky function works. The latter two of these were vectors I found while I was messing with security toolbars and finding ways around their detection mechanisms. The following vectors no longer work within Firefox:

• <A HREF="//google">XSS</A>
• <A HREF="http://ha.ckers.org@google">XSS</A>
• <A HREF="http://google:ha.ckers.org">XSS</A>

The last one really surprised me because it still works in the most latest version of Opera. Bizarre. But overall this is a good thing, it really should have never worked in the first place. There’s no reason to allow odd URL strings to do anything other than give you errors or take you to a page asking you if you’d like advice on how to find what you were looking for - not automatic redirection.

So overall Firefox 2.0 hasn’t changed much aside from how Feeling Lucky works. Opera 9.0 changed a little in regard to RFC2616 compliance and Internet Explorer 7.0 changed the most in terms of fixing XSS vectors. So although the results weren’t that interesting for Firefox, the overall results if you aggregate the three browsers together actually is pretty interesting. I wonder how this will pan out in future revisions.

This entry was posted on Saturday, November 4th, 2006 at 1:33 pm and is filed under XSS, Webappsec. Responses are currently closed, but you can trackback from your own site.