Monday 3 September 2012

Is Chrome more secure than other Browsers in XSS attacks

Posted on 23:42by with No comments
I come across one interesting thing today, looks like Chrome and Safari are more advanced in preventing XSS attacks  than other browsers. To check this, write a small submit form as  below

Test1.jsp

 <body>  
  <form method="get" action="test2.jsp">  
      Attack using this box : <input type="text" name="attack"/>  
      <input type="submit"/>  
  </form>  
 </body>

and a page to handle the submit

 Test2.jsp

 <%=request.getParameter("attack")%>

open the first one in a browser --> enter "<script> alert('hi......'); </script>" in the text box --> submit.

IE, Firefox, Opera - will show you an alert box with message "hi......"
Chrome and Safari - will not show anything but a blank screen.

In Chrome Console you can see the below error,

Refused to execute a JavaScript script. Source code of script found within request.

chrome detects the same source code in request and response and prevents the XSS attack. Same for Post method too.

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)