Björn Engelmann, Joachim Posegga, and LocalRodeo developer Martin Johns have authored an excellent paper on a new Cross-site Scripting detection system called XSSDS.  Stay tuned to noxss.org for a new browser extension based on this technology.  The XSSDS approach is similar in some ways to the IE8 XSS Filter approach, although it’s worth noting that until recently Martin’s team had no knowledge of our work in this space (and vice versa).

Comments (6)

  1. Gareth Heyes says:

    From the PDF:-

    "No absolute URL can be shorter than 10 characters:

    The mandatory http:// consumes 7, and no regular

    domain shorter than 3 characters can be set up."

    That’s no strictly true, rsnake showed a technique to use external urls without http:// e.g. //domain.com

  2. Martin Johns says:

    Hey Gareth, we were aware of such urls. All external script-urls which use this scheme are alerted by default without subsequence matching, as we could not envision any legitimate usage besides filter evasion. We omitted a discussion of this border-case in the paper for brevity reasons.

  3. thornmaker says:

    My favorite line is "This choice is based on the assumption that no reasonably complex malicious script will be shorter than 15 characters." I guess the authors don’t know the eval(name) trick.  

  4. Gareth Heyes says:



    or technically the shortest poss is:-



    But that requires the onclick context of a link:-

    <a href=# onclick="URL=name">test</a>

  5. a {color : #0033CC;} a:link {color: #0033CC;} a:visited.local {color: #0033CC;} a:visited {color : #800080;}