Support » Plugin: Prevent XSS Vulnerability » Chrome and IE

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Sami Ahmed Siddiqui

    (@sasiddiqui)

    Hi @makwelos

    Are you only using encoding feature or some other feature as well? Please share your settings screenshot.

    Also, you can not see some entities to be encoded in Browser URL. Let’s say %3C is the encoded value of < entity but when you add the encoded value in the URL then it automatically transforms to its entity.

    Let me know your thoughts and findings if you have.

    Thanks,
    Sami

    Hi Sami Ahmed Siddiqui

    I have enable all the options,Enable Blocking,Enable Encoding, Enable Escaping and im not excluding any Entites.

    Plugin Author Sami Ahmed Siddiqui

    (@sasiddiqui)

    @makwelos What’s the issue you are facing?

    If you have Enable Blocking then some entities gets removed from the URL. You can find the entities which are blocked by the plugin.

    If you can provide some URL and describe your issue in detail so maybe i can provide you some help in it.

    Thanks,
    Sami

    I have enabled the Blocking, in Chrome when i execute the below url i get the alert box but not in firefox.

    http://www.example.co.za/#'”&gt;

    Plugin Author Sami Ahmed Siddiqui

    (@sasiddiqui)

    @makwelos Please add the url under the code format. Secondly, Plugin prevent XSS attack which was sent to server whereas values after # will not pass to the server so this issue can not handled by the plugin.

    Regards,
    Sami

    Oh i see this issues is Cross-site scripting (DOM-based). Please see url below
    

    http://www.example.co.za/#'"><img src=1 onerror=alert(1)>

    • This reply was modified 9 months, 2 weeks ago by makwelos.
    • This reply was modified 9 months, 2 weeks ago by makwelos.
    • This reply was modified 9 months, 2 weeks ago by makwelos.
    Plugin Author Sami Ahmed Siddiqui

    (@sasiddiqui)

    There are 2 ways of DOM Based Cross-site scripting.

    1. Using Query String
    2. Using Fragmentation

    For now, this plugin secure your site from the Query String DOM Based XSS. You can more about the DOM Based XSS from here.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Chrome and IE’ is closed to new replies.