Normally I make changes without telling anyone, because well, hell, no one notices generally. But last night I made a change that at least two people noticed because I inadvertently broke the xssAttacks.xml version of the XSS Cheat Sheet (which is getting more and more out of date unfortunately). I fixed the issue that broke the XML file (thanks to WhiteAcid and Nick for pointing it out). But I should probably explain one of the changes, since I think it’s worth noting.

I made a modification to the XSS Locater. Where it previously had said: </SCRIPT>!– I modified it to say: –></SCRIPT>">'>

These are very deliberately placed because the end comment tag is part of the most strict JavaScript convention which uses comments to made script invisible for readers that don’t gracefully ignore script if they can’t read it. I found a real example of this yesterday.

Then after the end SCRIPT tag which closes any JavaScript tag that it possibly can at that point I have the quote and the end angle bracket as well as the single quote and the end angle bracket to jump out of any HTML entities you are in. Surprisingly this small change makes it significantly more effective. I still don’t use the Locater personally, but it’s a great crutch if you are a) in a hurry or b) want to do a thorough test of some of the most common issues. It still doesn’t include CSS, so I’ll probably eventually add another one in there to pull out some of the most common CSS issues as well. That’s for another day.

Anyway, sorry for breaking the XML file. I’ll try to be better about that one. That’ll teach me to drink beer and author XML by hand at the same time!

This entry was posted on Sunday, November 5th, 2006 at 12:52 pm and is filed under XSS, Webappsec. You can leave a response as well.