Thursday, July 16, 2009

WebScarab - BeanShell to Disable IE8 XSS

Using WebScarab for security testing? Here's how to disable the IE8 XSS filter. This is a good move since the IE8 filter is filled with so many false positives that its impossible to perform a fair test unless this feature is turned off.

Add the following to WebScarab's BeanShell. This can be found under Proxy->Bean Shell. Make sure the enable box is checked and hit commit.



/* Please read the JavaDoc and/or the source to understand what methods are available */
/* Template provided by http://michael-coates.blogspot.com/ */

import org.owasp.webscarab.model.Request;
import org.owasp.webscarab.model.Response;
import org.owasp.webscarab.httpclient.HTTPClient;
import java.io.IOException;
import java.io.*;

public Response fetchResponse(HTTPClient nextPlugin, Request request) throws IOException {

//=====Make changes to the requests=========
//=====Remember: These changes will be applied to all requests while the bean is enabled. ============
//request.setHeader("User-Agent","MySuperBrowser");
//==============


//Send the request and fetch the response - this is required for requests to work
Response response = nextPlugin.fetchResponse(request);

//=====Make changes to the response=========
//Modify the response to set the anti-xss header for IE8
response.setHeader("X-XSS-Protection","0");

return response;
}




-Michael Coates