Paid Advertising
web application security lab

XSS Warning Extension For Firefox

In the spirit of beta testing, I was sent a link from Gianni Amato on a new extension he’s written for Firefox called XSS Warning. Unsurprisingly, it warns you of potential XSS attacks on the URL string with a large blocking page. I have not spent a tremendous amount of time playing with this, but I had a few thoughts. Granted this is experimental, so I’m not trying to rip into it, because it definitely provides a service. But here are some thoughts.

Firstly, it only works in the case of reflected XSS. While that’s the most common form of XSS, it’s also only one form. Secondly, because it doesn’t generate an alert box, if the XSS is loaded inside of a hidden iframe, the user would never be warned that it failed (also making it easy to check for, incidentally). So while I love this research, and I want a lot more of it, this shouldn’t be considered a panacea, although I think we are well on our way now that we finally have people like Gianni and Giorgio looking at this. Very cool, and I encourage everyone to check it out.

One Response to “XSS Warning Extension For Firefox”

  1. Sid Says:

    I’ve recently had another look at the code for the extension (v 0.1.6). Please don’t use this extension. He has reduced the number of filters, the list is very limited and not nearly enough. Of course by all means try to find a better solution to this problem.