Back in Action on Paladin, XSS Me for 0.3

It’s Wednesday, October 26, 2011. I’ve been on something of a hiatus for a week or two as I’ve been mostly preoccupied with EJB605. It’s time to get back to work on OSD and not just because 0.2 is due tomorrow. Luckily, my particular project involves a steady linear progression towards completion at some point. I imagine that 0.2 will be the last release that I do for the Configurator Registry.

With that in mind, let me take a minute to point out how awesome it has been to work on Paladin. Coming from a background with a lot of interest in game development as well as a sizeable amount of work invested in other game engines over the past 2 or 3 semesters, I found Paladin to be very nicely written. The organization and enthusiasm of its volunteers and project leads is quite refreshing. This is why I will be going back to Paladin to help them out whenever I can in the near future. However, for my 0.3 release, I thought that I would like to change course a little bit.

XSS Me is an explicitly open-source FF add-on that tests sites for XSS vulnerabilities. It is a tool used and loved by many web devs around the world to test their sites for XSS flaws. For the uninitiated, an XSS flaw ( Cross-Site Scripting, shortened to XSS ) is a type of security flaw that allows an attacker to execute arbitrary Javascript on a website by submitting specially crafted user-data to that site. This can be something like a Facebook post or a user blog on a blogging site. This is very dangerous on websites like Facebook that thrive on user-submitted data. The results of a successful XSS attack can be devastating considering that the browser of each user viewing the attacker-submitted data will be executing whatever Javascript the attacker desires.

XSS Me partially mitigates this threat by doing the attacker’s work for you, thereby giving a webdev some indication as to whether their website is vulnerable to XSS attacks. I had the chance to work on XSS Me when I worked for Security Compass ( also see SecCom Labs ) as a part of Seneca’s coop program. What makes XSS Me interesting is that it does its work fast, really fast. XSS Me will send many requests to a target website, encoding an XSS attack vector into each request; it will then analyze each response, scanning for evidence that the attack vector had caused the site to execute specific Javascript encoded in each attack vector. Since Javascript is single threaded, one would think that this process is quite slow once you factor in the hundreds of attack vectors that have to be sent to the site.

To achieve its speed however, XSS Me gets clever. Since XSS Me is an FF Add-on and not a web-page Javascript, it gets more privileges as it executes in the browser’s context. XSS Me leverages this power by opening up multiple tabs and executing Javascript code in each one. In this way, XSS Me fakes real threading into Javascript.

This mostly works. However, some nasty bugs have emerged from this construct that are difficult or impossible to diagnose; one heisen-bug in particular caused me much grief as I tried to squash it, failing time and time again despite numerous attempts. With the advent of HTML5 and web workers, I saw a chance to update the core threading component of XSS Me to utilize web workers. I find this to be an exciting opportunity because I like concurrency J

None of this is for certain as I still have to discuss this plan with Humph; should it pan out however, I think that it would be an exciting way to enter the world of HTML5 threading. As well, if anyone else is interested in working on XSS Me, there’s plenty of work to go around.