

Firefox 3D view helps spot XSS vulnerabilities - robin_reala
http://drewgoodwin.com/posts/2012/07/17/firefox-3d-view-helps-spot-xss-vulnerabilities/

======
dgalling
No, the 3D view can help you spot when someone has already injected content
into your page.

But not really, because most of the time, the "content" injected into your
page is a script tag, which doesn't show up in the 3D view.

~~~
dwg
You're correct that the script tag will not show. However, we train our
testers to use special characters, including < and >, in their test data. It
happens that the environment in which we spotted the vulnerability was our QA
environment.

~~~
dgalling
The 3D view definitely makes it a bit more visible, but as someone who has
spent a considerable amount of time testing XSS filters, it's not all that
useful, since you generally know exactly where in the output your input will
be, and also because looking at the raw output (not the constructed DOM tree)
is a better way to identify XSS vulns.

It's a cool observation nonetheless, and props for catching XSS vulns in your
QA environment, not production ;)

------
rmc
Although this is correct, the real way to handle XSS vulnerbilities is to
default deny and encode all data, like Django does. Require the developer to
whitelist some parts.

Relying on injecting the data and then looking for it in a fancy 3d view is
not a very robust way to do it.

~~~
mfontani
Using Perl, I love how Text::Xslate does _exactly that_ by default, unless you
"| mark_raw" the data that you _know_ needs instead to be interpreted as HTML.
That's the way to do it!

------
emillon
What does it have to do with XSS vulnerabilities ?

~~~
MindTwister
They found out that they had unfiltered input, which is usually used for XSS.

