Skip to content

noXSS: A Firefox Extension for Defending Against Reflected XSS Attacks

After writing a Firefox extension that is still considered experimental, I decided to try to discover which Firefox extensions are the best ones that are considered experimental. After taking some time to look for experimental extensions to install, I came across one called “noXSS”, which can be found on this page on AMO. This extension, which is designed to protect its users from reflected (or non-persistent) XSS attacks, is currently a work in progress. In this post on the mozillaZine forums, it was requested that end users test it and give feedback about it. As I thought that this extension could be useful, and as I understand the importance of peer review, I decided to install this extension, test it, and give feedback on it.

As it says on the main page for the project here, this extension is based on technology proposed by two individuals from the University of Passau and one individual from the University of Hamburg. This paper in which this was proposed can be viewed in PDF form if you click here. In that paper, it was mentioned that input filtering and output sanitation are commonly used methods for preventing XSS attacks. However, the process of filtering of certain keywords that may indicate the possibility of an XSS attack, such as "document" or "javascript" tends to be flawed. This fact was noted in the paper, and the fact that output sanitation fails frequently was also noted. More complex and more reliable methods for detecting possible XSS attacks were proposed in that paper. It was suggested in that paper that data in HTTP requests and their corresponding HTTP responses should be analyzed and compared in order to report possible XSS attacks while preventing reports of false positives. It was said in that paper that when this XSS detecting software that was proposed was tested, there were no false negatives, and few false positives. Methods for further preventing false positives were also mentioned in the paper. Having said this, a Firefox extension based on what was proposed in this paper would be one that many would like to have.

The Firefox extension based on what was proposed in that paper currently only implements part of what was proposed in the paper. For example, it currently uses string matching when trying to detect XSS attacks, when the process of subsequence matching mentioned in the paper would detect more XSS attacks. However, in tests that I have run with it, it successfully prevented XSS attacks, except in situations that are not yet supported by this extension. In addition, I have yet to receive a false positive when using the newest version of noXSS. The testing that I had done on it may not have been thorough, and the author of the extension mentioned that there are some XSS attacks that it currently will not block. However, based on what I have seen on the noXSS project page regarding future plans and based on what I have seen in comments in the extension’s source code, there are clearly defined plans to make it work well in the future. At this time, one might still want to use the protection against XSS attacks offered by a Firefox extension named NoScript, which was mentioned both on the project page and on the paper on which this project is based. However, in the paper, it was said that use of NoScript can result in false positives because NoScript does not analyze as much HTTP data as the software proposed in the paper.

This Firefox extension has potential to be very useful, as it is based on technology that has already been found to work well. A number of individuals will need to test it and give feedback about it in order to ensure that it will be implemented properly. I will continue to test it, and I plan on testing future versions of it. I also may write more about it in the future. I look forward to working with future versions of this extension, and I plan on assisting in ensuring that it will work as well as it should.