How to do Cross Site Scripting Test

Set parameter value includes: "'<>()

• "'><script>alert('XSS');</script>

Solution

• Check every parameter.
• Don't output parameter value in the page directly.

Example

randinblogger.blogspot.com/?m="'><script>alert('XSS');</script>

IE/Edge only show # because XSS filter(X-XSS-Protection)

IE/Edge only show # because XSS filter(X-XSS-Protection)

If a cross-site scripting attack is detected, the IE will sanitize the page and only show a "#" as default header.

X-XSS-Protection: 0

Disables XSS filtering.

X-XSS-Protection: 1

Enables XSS filtering(usually default in browsers), sanitize the page.

X-XSS-Protection: 1; mode=block

Enables XSS filtering, prevent rendering of the page if an attack is detected.

X-XSS-Protection: 1; report=<reporting-uri>

Enables XSS filtering, sanitize the page and report the violation. This uses the functionality of the CSP report-uri directive to send a report.

In PHP

header("X-XSS-Protection: 1; mode=block");

By .htaccess

<IfModule mod_headers.c>
  Header set X-XSS-Protection "1; mode=block"
</IfModule>

Controlling the XSS Filter(Microsoft)
X-XSS-Protection(MDN)