StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
2157443
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
2
CommunityOwnedDate
CreationDate
2010-01-28T19:44:03.073
FavoriteCount
0
LastActivityDate
2010-01-28T19:44:03.073
LastEditDate
LastEditorUserId
0
OwnerUserId
132504
ParentId
2102836
PostTypeId
2
Score
5
ViewCount
0
LastEditorDisplayName
text
Body
I work at Security Compass and am the lead developer for the Exploit Me tools. You're right that XSS Me is reporting a warning because these attack strings seem (to XSS Me) to have come back from the server completely unencoded. Another parser/JavaScript engine (like IE 6/7/8, Safari, or Chrome) might execute this code even though Firefox's parser and JavaScript engine don't. XSS Me submits two requests: <ul> <li>One request where we detect exploitation using FireFox's JavaScript engine, which we call "errors"</li> <li>A second request where we detect exploitation by simply grepping for the attack string in the HTML response page</li> </ul> The warning you're getting is caused by this second request. I can help you get to the root cause of this issue if you can do the following: <ol> <li>Use packet sniffing software (i.e. Wireshark <a href="http://www.wireshark.org/" rel="noreferrer">http://www.wireshark.org/</a>) to detect the attack string rather than Charles. Sometimes proxies have a way of modifying or otherwise altering requests</li> <li>In Firefox, can you go to tools->addons and disable all the extensions except XSS Me? That way you can be sure no other extension is changing the response (or request) before it gets to XSS Me.</li> <li>View the source of the response page in Firefox to see if the unencoded string appears</li> </ol> If you'd like to send me an email (tom@securitycompass.com) with those results I'd be happy to help figure this out. If it's a bug in XSS Me (which I certainly hope not) then I can patch it and get a new build out. Thanks, Tom
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POXSS Me Warnings - real XSS issues?
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. This table or related slice is empty.
UserOwnerUserId
1. USMystic
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. POXSS Me Warnings - real XSS issues?
 singulars
 PostTypePostTypeId
 PTQuestion
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTAcceptedByOriginator
2. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. COThanks, I just need to get XSS Me installed on Firefox 3.6 - any chance of a compatible release?
 singulars
 PostPostId
 PO
 UserUserId
 USPeterB
2. COWe hope to get an "experimental" (read: unreviewed) release up on addons.mozilla.org this week. I'll post a link when it's up :-). The review process should be quick but isn't something we control.
 singulars
 PostPostId
 PO
 UserUserId
 USMystic

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.