News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Gareth Heyes:
Bypassing XSS Auditor
February 20, 2013 @ 11:21:29

Gareth Heyes has posted about some bypasses that he's found for getting around the XSS Auditor functionality in some browsers:

I had a look at XSS Auditor for a bit of fun because Mario said it's getting harder to bypass. Hmmm I don't agree. I seem to remember the same flaws are present from the last time I checked it with a little variation. It is also a very limited XSS filter not supporting detection of script based attacks (very common).

He includes three of his own bypasses - using a "formaction" on the submit input in a form, using "target" to override the iframe external resource restriction and the injection of a specially placed anchor tag. Each of these comes with a proof-of-concept example and another is also included courtesy of Mario Heiderich.

0 comments voice your opinion now!
bypass xssauditor browser xss protection proofofconcept poc


blog comments powered by Disqus

Similar Posts

Padraic Brady's Blog: CodeIgniter 2.0.2: Cross-Site Scripting (XSS) Fixes And Recommendations

Pádraic Brady's Blog: XSS in PHP (Part 1): How Not to Use Htmlspecialchars

SitePoint PHP Blog: PHP Security - Dumb Users or Dumb APIs?

Secunis.com: Travelsized CMS index.php Cross-Site Scripting Vulnerabilities

SitePoint PHP Blog: Useful in-browser development tools for PHP


Community Events

Don't see your event here?
Let us know!


example community part2 api performance release symfony2 interview opinion application introduction php7 laravel conference series framework voicesoftheelephpant library podcast configure

All content copyright, 2015 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework