Solved

Could an XSS attack be mounted using Firebug?

Posted on 2010-09-21
6
1,993 Views
Last Modified: 2012-05-10
This may be in the "dumb questions category." But I was wondering if it would be possible to use Firebug to create an XSS attack. It seems to be possible but only in the trivial case of disclosing the attackers information only.

But I was wondering if anyone could see a way to make a non-trivial attack. And how would one defend against such?

Any ideas?
0
Comment
Question by:jasimon9
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 11

Expert Comment

by:ProfessorBindokas
ID: 33732371
Hi

Main defenses against cross site scripting are:
1.validation checks in the code framework, e.g., Microsoft's ASP.NET has a nice suite of built-in validation checks that can be used to defend against XSS issues.  J2EE has safeguards as well;
2. the use of a web application firewall "in front" of your application to prevent execution calls to "foreign" websites for script execution (caveat, ensuring that ALL traffic goes through the web application firewall and no send-arounds are possible).

An example of a non-trivial attack would be hijacking of account credentials, which are stored in the form of a SessionID on a cookie and the use of that cookie to impersonate the user on another system.  Another example is use of a XSS vulnerability to modify the information a user is posting to a website, which can be non-trivial if the post information is mission critical or financial in nature.
0
 

Author Comment

by:jasimon9
ID: 33736621
You have defined XSS. But you have not addressed my question about Firebug as a means of attacking at all.
0
 
LVL 4

Expert Comment

by:rajivvishwa
ID: 33737358
Firebug is nothing but an enhanced HTTP Request-Response parser. To perform XSS attacks, firebug needs automation capabilities to send request in a particular format and validate the response for XSS pattern. For that you have different Firefox addons like XSS Me (https://addons.mozilla.org/en-US/firefox/addon/7598).

To be frank even I was thinking in the same lines i.e to extend firebug to make it work like a security scanner.
0
Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

 
LVL 64

Accepted Solution

by:
btan earned 250 total points
ID: 33759664
Firebug intercept "execution code" of Firefox browser. It is more of client proxy web code debugger. It does not directly tamper with the web traffic but more of able to set breakpoint of each web call as you browse through the website using firefox. We may change parameter in the code for testing purpose or even tamper that instance of code. It is is just reflected at that instance not at client.

The key is XSS will only occur if real website has such vulnerability. in other word, if website has XSS flaw, firebug can single step through and identify that active javascript to be executed. You may change the script content but having a browser proxy like burp or paros can do more to tamper the web traffic (recv and send out).

in summary, I will say that firebug can help to discover XSS (esp DOM based) instead of directly injecting XSS for persistent Check out this short example on DOM based XSS

@ http://www.net-security.org/dl/articles/Blueinfy-JavaScript-Hacking.pdf 
0
 

Author Comment

by:jasimon9
ID: 33762532
You are getting close to the exact nature of my question.

I am essentially wondering if Firebug could be used to create a vulnerability on a page where no vulnerability previously exists. You are saying that this cannot happen, and that there would already have to be a vulnerability to exploit.

If that is in fact what you are saying, then I am thinking my question is answered.

The further point about using Firebug to discover vulnerabilities is also interesting, but is really outside the scope of my question.
0
 
LVL 64

Expert Comment

by:btan
ID: 33763150
I will say Firebug is good as an DOM inspector or JavaScript interpreter. It can to extend inject attack into the website for testing purpose but that is also just validating that the website is vulnerable and not made vulnerable. If interested more, can check out
@ http://www.tekbar.net/hackers-and-security/proficient-in-javascript-attacked-the-framework.html

Hope it helps
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question