Security Compass has created a series of Firefox add-ons that aid in performing web application assessment. These tools are a great convenient way of finding vulnerabilities within web applications. I do want to point out that even though these tools are useful there is no guarantee all vulnerabilities will be found.
XSS-Me is one of the tools in the series that helps to find cross site scripting (XSS) vulnerabilities within web applications. The tool works by locating forms within a web page then tries various inputs into those forms to see if the inputs on that page are vulnerable. A screen shot of how the tool should look inside Firefox can be seen below.
Now all you have to do is click “Run all tests” and let XSS-Me do its thing. Keep in mind that XSS-Me will also find any hidden forms within a page as well. So this is how things are suppose to work but you’ll eventually come across a page that has forms but XSS-Me doesn’t detect them, this is because the page you are viewing has frames. A good example of this is Chris Rohlf’s site seen below.
From the screen shot you can see there is a search form at the top of the page but XSS-Me doesn’t detect its presence. This is because the search form is wrapped inside of a frame. A quick little tip to get around this problem is to open the frame in another tab/window. All you have to do in Firefox is right click on the frame then select “This Frame > Open Frame in New Tab”. A screen shot can be seen below.
Once you have the frame in a new tab XSS-Me will detect the form as normal. This can be seen in the screen shot below.
This same technique will apply to the SQL Inject Me tool from Security Compass as well because it also tries to search for forms within a web page.
This tip was passed along to me by Sahba Kazerooni who works at Security Compass. I have no affiliation with Security Compass but I met Sahba and some other Security Compass employees at a conference and they were all down to earth guys who had great knowledge and experience when it came to information security. So thanks for the tip Sahba and hopefully this tip will help others secure their web applications as well.
10 replies on “XSS-Me tool & html frames”
Hi, I found your blog on this new directory of WordPress Blogs at blackhatbootcamp.com/listofwordpressblogs. I dont know how your blog came up, must have been a typo, i duno. Anyways, I just clicked it and here I am. Your blog looks good. Have a nice day. James.
sorry for the late response but thanks for the positive feedback, i’m gonna get off my ass soon and post more content so keep an eye out.
I am looking for some idea and stumble upon your posting 🙂 decide to wish you Thanks. Eugene
Graet post mate. Kepp them coming….
Hi! I’m sorry for my bad english…
Anyway, yeah, nice post, but i still have some troubles with XSS Me.
When I check my website for problems clicking on “Run all tests”, it always stops at “32/40 Tests Run” and if I cancel the test and I restart it, it says “Could not run tests as test are already running. Please wait for these tests to finish”.
I only have to close and restart Firefox…
I have tried many times, I’ve also waited for hours that this 32th test succed, but always with the same result…
I’m using XSS Me 0.4.3 and Firefox 3.5.5.
Maybe can you help me? 🙂
I too have noticed some errors when running XSS-Me on Firefox 3.5.5. My only suggestion is to submit a bug to securitycompass.com. Hopefully they can fix the problem pretty soon. Firefox 3.5.5 just came out and it usually takes Firefox add-on developers a little while to catch up. Unfortunately for right now all you can do is just sit and wait. I also use a XSS testing tool from Acunetix that has given me good results although I haven’t tested it yet with Firefox 3.5.5. Link below.
Its a really Helpful Tutorial 🙂 Thanks Travis
Glad that helped.
I am just not understanding how to analyze the results that are obtained through XSS Me I want any help that you can offer me
Basically if it shows up red that that character is allowed to be inserted into that input, if it shows up green then the application is blocking that character from being inserted. Does that help explain it?