Skip to content

Firefox v28.0 XSS Vulnerability

03/04/2014

Dear Firefox,
We love you, please fix this.

SupraFortix Blog

This post concentrates on my recent research regarding reflective Cross-Site Scripting (XSS or CSS) vulnerabilities within the most popular web browsers. The setup that is used to test the browsers is done within virtualised environment, using Damn Vulnerable Web Application (DVWA) hosted by XAMPP Apache server.

WHAT IS REFLECTIVE XSS?
Reflective XSS uses maliciously crafted URLs that carry JavaScript, HTML or PHP code, which automatically fills in a vulnerable user input box, which is then reflected back to the user, using reflective functions of dynamic web pages.
Reflection arr

URL generated by this mechanic.
http://10.208.42.43/dvwa/vulnerabilities/xss_r/?name=John+Smith

Example of a “malicious URL” carrying JavaScript code, used in this experiment.
http://10.208.42.43/dvwa/vulnerabilities/xss_r/?name=alert("hello!")

GOOGLE CHROME

v33.0.1750.154m —Updated 14. March 2014

Malicious URL is not accepted.
Chrome

The reason for that is that Google Chrome added special character encoding to their URL bar. If you copy and paste executed URL into Notepad you can see that characters, such as

View original post 217 more words

Advertisements

From → Uncategorized

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: