StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POXSS Me Warnings - real XSS issues?
text
Body
copied!<p>I've been using the free Firefox extension <a href="https://addons.mozilla.org/en-US/firefox/addon/7598" rel="nofollow noreferrer">XSS Me</a> from Security Compass to test for XSS problems. However, using what I understand to be safe filtering, XSS me still reports warnings. Are these accurate warnings or spurious?</p> <p>Using the code below as a testcase:</p> <pre><code><form method="post" action=""> <input type="text" name="param" value="<?php echo htmlentities($_POST['param'])?>"> <input type="submit"> </form> <?php echo htmlentities($_POST['param'])?> </code></pre> <p>I run some nasties by hand but none of them are executed in the browser, and using <a href="http://charlesproxy.com" rel="nofollow noreferrer">Charles debugging proxy</a> I can see that the response is encoded as expected.</p> <p>However, XSS Me reports a number of warnings, as if it can see the unencoded string in the HTML source: <a href="http://img696.imageshack.us/img696/8850/xss.png" rel="nofollow noreferrer">alt text http://img696.imageshack.us/img696/8850/xss.png</a></p> <p>Looking in Charles at the same time, I can see the strings are encoded and should be safe e.g. <code>&lt;IMG SRC=&quot;jav ascript:document.vulnerable=true;&quot;&gt;</code></p> <ul> <li>Is there a vulnerability I haven't fixed?</li> <li>Are these rogue warning messages?</li> <li>And if so, is another Firefox extension (Firebug?) conflicting with XSS Me?</li> </ul>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload