Home

Awesome

XSSBuster

XSSB is a proactive DOM sanitizer, defending against client-side injection attacks.

The Problem:

With every unaudited third-party JS library you include into your DOM, the risk of accidental DOM-based cross-site-scripting issues rises linearly. It being for advertisement, web analytics, social widgets, et al., all sorts of third-party code is susceptible to injection attacks.

Examples of this are:

The Solution:

XSSB mainly utilizes taint checking to guard against accidental mistakes and poor security practices commonly employed by JS libraries that may lead to DOM-based XSS vulnerabilities.

A rough idea of how it works is: Data from untrusted input sources such as window.name, location.hash, document.referrer, window.onmessage, et al. are tainted and are constantly tracked for any changes. XSSB then overrides security-sensitive functions and DOM APIs (e.g., eval(), document.write(), Element.prototype.appendChild(), etc.) to enforce taint checking and prevent insecure operations such as eval(location.hash.slice(1)), document.write(window.name), and the like.

So, basically, XSSB offers you the freedom to deploy any given third-party code into your DOM while at the same time covering your DOM's back!

Usage Instructions:

Simply place the script element of XSSBuster.js right before any other third-party scripts you include into your webpage(s), typically at the very top of the head tag:

<head>
    <title>Example</title>
    <script type="text/javascript" src="XSSBuster.js"></script>
    <script type="text/javascript" src="thirdParty-library.js"></script>
</head>

Notes:

Demo:

A live demo can be found at: https://xssb.herokuapp.com.

Performance:

Based on tests, XSSB only takes 10 milliseconds on average to do all required security checks besides the registration of a few necessary event listeners.

Compatibility:

XSSB is compatible with the latest versions of all major web browsers (Firefox, Chrome, IE, Edge, Safari, and Opera) as well as most legacy web browsers through fallback functionality.

Known Issues:

Credits: