Automate Recon and scanning process with Vidoc. All security teams in one place
By kannthu
The "XSS-Protection Header - Cross-Site Scripting" module is designed to detect the presence of a misconfiguration in the XSS-Protection header. This header is used to protect websites from cross-site scripting (XSS) attacks. The module targets websites that have either disabled the XSS-Protection header or have set it to a value other than 0, which can introduce an XSS vulnerability.
This module has an informative severity level, meaning it provides valuable information about potential vulnerabilities but does not directly impact the security of the website.
This module was authored by joshlarsen.
A misconfigured XSS-Protection header can leave a website vulnerable to cross-site scripting attacks. Cross-site scripting attacks allow malicious actors to inject and execute malicious code on a website, potentially compromising user data and system security.
The "XSS-Protection Header - Cross-Site Scripting" module works by analyzing the HTTP response headers of a website. It checks for the presence of the XSS-Protection header and evaluates its value. The module uses two matching conditions:
- Condition 1: It checks if the XSS-Protection header is present and set to a value of 0. If the header is found with this value, it indicates a misconfiguration. - Condition 2: It checks if the XSS-Protection header is present and set to a value other than 0. If the header is found with a value greater than 0, it indicates that the website has enabled XSS protection.If either of these conditions is met, the module will report a potential vulnerability.
Example HTTP request:
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Matching conditions:
- Condition 1:
- Part: Header
- Type: Regex
- Regex: (?i)x-xss-protection: 0
- Negative: True
- Condition: And
- Condition 2:
- Part: Header
- Type: Regex
- Regex: (?i)x-xss-protection: 1+
- Negative: False
- Condition: And
For more information, refer to the Mozilla Developer Network.