In the spirit of beta testing, I was sent a link from Gianni Amato on a new extension he’s written for Firefox called XSS Warning. Unsurprisingly, it warns you of potential XSS attacks on the URL string with a large blocking page. I have not spent a tremendous amount of time playing with this, but I had a few thoughts. Granted this is experimental, so I’m not trying to rip into it, because it definitely provides a service. But here are some thoughts.
Firstly, it only works in the case of reflected XSS. While that’s the most common form of XSS, it’s also only one form. Secondly, because it doesn’t generate an alert box, if the XSS is loaded inside of a hidden iframe, the user would never be warned that it failed (also making it easy to check for, incidentally). So while I love this research, and I want a lot more of it, this shouldn’t be considered a panacea, although I think we are well on our way now that we finally have people like Gianni and Giorgio looking at this. Very cool, and I encourage everyone to check it out.