Welcome to MSDN Blogs Sign in | Join | Help

XSSDS

Björn Engelmann, Joachim Posegga, and LocalRodeo developer Martin Johns have authored an excellent paper on a new Cross-site Scripting detection system called XSSDS.  Stay tuned to noxss.org for a new browser extension based on this technology.  The XSSDS approach is similar in some ways to the IE8 XSS Filter approach, although it's worth noting that until recently Martin's team had no knowledge of our work in this space (and vice versa).

Published Tuesday, September 30, 2008 11:15 AM by dross

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# XSSDS : EasyCoded

PingBack from http://www.easycoded.com/xssds/

Tuesday, September 30, 2008 2:45 PM by XSSDS : EasyCoded

# re: XSSDS

From the PDF:-

"No absolute URL can be shorter than 10 characters:

The mandatory http:// consumes 7, and no regular

domain shorter than 3 characters can be set up."

That's no strictly true, rsnake showed a technique to use external urls without http:// e.g. //domain.com

Wednesday, October 01, 2008 12:49 PM by Gareth Heyes

# re: XSSDS

Hey Gareth, we were aware of such urls. All external script-urls which use this scheme are alerted by default without subsequence matching, as we could not envision any legitimate usage besides filter evasion. We omitted a discussion of this border-case in the paper for brevity reasons.

Thursday, October 02, 2008 4:45 AM by Martin Johns

# re: XSSDS

My favorite line is "This choice is based on the assumption that no reasonably complex malicious script will be shorter than 15 characters." I guess the authors don't know the eval(name) trick.  

Thursday, October 02, 2008 4:28 PM by thornmaker

# re: XSSDS

(14)

",eval(name)//

or technically the shortest poss is:-

(8)

URL=name

But that requires the onclick context of a link:-

<a href=# onclick="URL=name">test</a>

Friday, October 03, 2008 8:51 AM by Gareth Heyes

# MSDN FLASH IRELAND - INTERNATIONAL RESOURCES - 15 OCTOBER 2008

a {color : #0033CC;} a:link {color: #0033CC;} a:visited.local {color: #0033CC;} a:visited {color : #800080;}

Thursday, October 16, 2008 2:14 PM by Microsoft Ireland Blog

Leave a Comment

(required) 
required 
(required) 

  
Enter Code Here: Required
 
Page view tracker