Home/ Questions/Q 581749
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T14:36:47+00:00

I’ve been using the free Firefox extension XSS Me from Security Compass to test

  • 0

I’ve been using the free Firefox extension XSS Me from Security Compass to test for XSS problems. However, using what I understand to be safe filtering, XSS me still reports warnings. Are these accurate warnings or spurious?

Using the code below as a testcase:

<form method="post" action="">
<input type="text" name="param" value="<?php echo htmlentities($_POST['param'])?>">
<input type="submit">
</form>
<?php echo htmlentities($_POST['param'])?>

I run some nasties by hand but none of them are executed in the browser, and using Charles debugging proxy I can see that the response is encoded as expected.

However, XSS Me reports a number of warnings, as if it can see the unencoded string in the HTML source:
alt text http://img696.imageshack.us/img696/8850/xss.png

Looking in Charles at the same time, I can see the strings are encoded and should be safe e.g. &lt;IMG SRC=&quot;jav ascript:document.vulnerable=true;&quot;&gt;

  • Is there a vulnerability I haven’t fixed?
  • Are these rogue warning messages?
  • And if so, is another Firefox extension (Firebug?) conflicting with XSS Me?
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I work at Security Compass and am the lead developer for the Exploit Me tools.

    You’re right that XSS Me is reporting a warning because these attack strings seem (to XSS Me) to have come back from the server completely unencoded. Another parser/JavaScript engine (like IE 6/7/8, Safari, or Chrome) might execute this code even though Firefox’s parser and JavaScript engine don’t.

    XSS Me submits two requests:

    • One request where we detect exploitation using FireFox’s JavaScript engine, which we call “errors”
    • A second request where we detect exploitation by simply grepping for the attack string in the HTML response page

    The warning you’re getting is caused by this second request.

    I can help you get to the root cause of this issue if you can do the following:

    1. Use packet sniffing software (i.e. Wireshark http://www.wireshark.org/) to detect the attack string rather than Charles. Sometimes proxies have a way of modifying or otherwise altering requests

    2. In Firefox, can you go to tools->addons and disable all the extensions except XSS Me? That way you can be sure no other extension is changing the response (or request) before it gets to XSS Me.

    3. View the source of the response page in Firefox to see if the unencoded string appears

    If you’d like to send me an email (tom@securitycompass.com) with those results I’d be happy to help figure this out. If it’s a bug in XSS Me (which I certainly hope not) then I can patch it and get a new build out.

    Thanks,

    Tom

    • 0