XSSDS

Björn Engelmann, Joachim Posegga, and LocalRodeo developer Martin Johns have authored an excellent paper on a new Cross-site Scripting detection system called XSSDS.  Stay tuned to noxss.org for a new browser extension based on this technology.  The XSSDS approach is similar in some ways to the IE8 XSS Filter approach, although it's worth noting that until recently Martin's team had no knowledge of our work in this space (and vice versa).

Comments

• Anonymous
  September 30, 2008
  PingBack from http://www.easycoded.com/xssds/

• Anonymous
  October 01, 2008
  From the PDF:- "No absolute URL can be shorter than 10 characters: The mandatory http:// consumes 7, and no regular domain shorter than 3 characters can be set up." That's no strictly true, rsnake showed a technique to use external urls without http:// e.g. //domain.com

• Anonymous
  October 01, 2008
  Hey Gareth, we were aware of such urls. All external script-urls which use this scheme are alerted by default without subsequence matching, as we could not envision any legitimate usage besides filter evasion. We omitted a discussion of this border-case in the paper for brevity reasons.

• Anonymous
  October 02, 2008
  The comment has been removed

• Anonymous
  October 03, 2008
  (14) ",eval(name)// or technically the shortest poss is:- (8) URL=name But that requires the onclick context of a link:- <a href=# onclick="URL=name">test</a>

• Anonymous
  October 16, 2008
  a {color : #0033CC;} a:link {color: #0033CC;} a:visited.local {color: #0033CC;} a:visited {color : #800080;}