tag:blogger.com,1999:blog-5845671313867906274.post6998713467701316323..comments2024-03-03T00:45:39.827-08:00Comments on k3170: WebKit XSSAuditor : The XSS catalystKeith Makanhttp://www.blogger.com/profile/10220395050030522020noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-5845671313867906274.post-33631746312980135822012-07-25T17:08:40.411-07:002012-07-25T17:08:40.411-07:00Thanks for that quick reply, thanks for the explan...Thanks for that quick reply, thanks for the explanation. You made it very clear! Keep posts like these coming.Michael McMillanhttps://www.blogger.com/profile/02533401839830358953noreply@blogger.comtag:blogger.com,1999:blog-5845671313867906274.post-9139214013460713092012-07-19T16:28:25.037-07:002012-07-19T16:28:25.037-07:00thanks for the comment. good question. oh yes when...thanks for the comment. good question. oh yes when I say "helping propagate" I mean the way it operates helps the effectiveness of a reflected attack, so much so that where XSS is impossible--- in some cases---it now becomes possible. I agree that websites should protect against XSS, and the above website does! though this is a simplistic example of XSS protection many websites employ the same train of thought:"HTML tags are bad input I must remove them before echoing my output" and this does work in many cases. The problem is that the XSSAuditor is trying to do the same thing, and because of the way it is trying to this It's possible to turn what XSSAuditor purports to be a protection, into a weakness, in effect the website's protection also means nothing, because of the auditor. Chromes users at the moment believe that because the XSSAUDITOR is sitting in their html parsers, they don't need to worry about reflected XSS, which---in any social engineers mind---creates the perfect trust vulnerability---helping the effectiveness of attacks----. If we can get users to believe one falsehood---actually two if the websites promises to be safe---we can use it to imply belief in more! So in summary 1: it helps propagate attacks because it turns website protection against the user and 2: helps people believe that they cannot suffer from these attacks.Keith anti-newb Makanhttps://www.blogger.com/profile/12774891269981085834noreply@blogger.comtag:blogger.com,1999:blog-5845671313867906274.post-38339732712309789972012-07-19T02:23:48.916-07:002012-07-19T02:23:48.916-07:00Interesting post, thanks for your research. I woul...Interesting post, thanks for your research. I would however prefer if you could elaborate on "XSSAuditor is supposed to protect users but what It's doing here is actually helping propagate attacks!". <br /><br />I have to disagree, in what way does it encourage XSS? The XSSSAuditor does everything it is supposed to do, it is the website's responsibility to make sure that all user submitted content is sanitized properly.Michael McMillanhttps://www.blogger.com/profile/02533401839830358953noreply@blogger.com