I’ve been doing a little bit of XSS work and, in particular, have been testing a website for XSS vulnerabilities. It was clear the site had a reflected (Type 1) vulnerability from simply typing some script code into a suitable input and submitting the form. What I needed to do was create a simple HTML page that illustrated to the owner of the site how this could be exploited. Here’s my page:
With a bit of imagination you can see how I can dress this up (ie apply a bit of rudimentary design akin to the attack target site) to lure people into thinking it has some legitimacy and get them to click the button at which point my page posts to the target site carrying my evil XSS payload. I was initially disappointed when this was the result (note the IE message):
IE8 includes an XSS filter to protect users from this type of attack. I’d missed this fact. Twitter wasn’t the target of my efforts nor am I suggesting they may have an XSS vulnerability I merely use them here to protect the identity of the real site.
What to do? Well you can add a header to the page for testing purposes (X-XSS-Protection: 0) or you could use a less secure browser for the purposes of XSS testing :-).