Monday 3 September 2012

Is Chrome more secure than other Browsers in XSS attacks

I come across one interesting thing today, looks like Chrome and Safari are more advanced in preventing XSS attacks  than other browsers. To check this, write a small submit form as  below

Test1.jsp

 <body>  
  <form method="get" action="test2.jsp">  
      Attack using this box : <input type="text" name="attack"/>  
      <input type="submit"/>  
  </form>  
 </body>  

and a page to handle the submit

Test2.jsp

 <%=request.getParameter("attack")%>  

open the first one in a browser --> enter "<script> alert('hi......'); </script>" in the text box --> submit.

IE, Firefox, Opera - will show you an alert box with message "hi......"
Chrome and Safari - will not show anything but a blank screen.

In Chrome Console you can see the below error,

Refused to execute a JavaScript script. Source code of script found within request.

chrome detects the same source code in request and response and prevents the XSS attack. Same for Post method too.