XSS Auditor reports

Designed to help stop Reflected Cross-Site Scripting (XSS) attacks but often exploited to extract information from pages. Introduced in Internet Explorer 8 back in 2009 as XSS Filter and in Chrome 4 in 2010, controlled by the X-XSS-Protection HTTP header. The feature was completely removed in Chrome 78 and in Microsoft Edge in 2018. It currently works in Safari and WebKit-based browsers (any browser on iOS) only.

The `X-XSS-Protection` response header:

X-XSS-Protection: 1; report=https://balsa.has.report/report.php

1: enable the auditor
report: where to send the reports to

There's some JavaScript on this page, and hitting the button below will send the same JavaScript in the request. Now, browser sees a request with some code, then the same code comes back in the response, so this must be the Reflected XSS attack! The browser has no idea the code is always there and it's not in fact a Reflected XSS attack but will block it anyway.

show the code ▼

<script>console.log('Send this to the page I dare you, I double dare you!');</script>
<form action="?auditor=triggered" method="post">
  <input type="hidden" name="some" value="input">
  <input type="hidden" name="trigger" value="&lt;script&gt;console.log('Send this to the page I dare you, I double dare you!');&lt;/script&gt;">
  <button id="trigger" class="blocked">Trigger the XSS Auditor</button>
  <span class="browser not-supported hidden">🍌 Not supported in your browser</span>
</form>

Blocked, the JavaScript will not run
Will trigger a report
Check your reports

Example XSS Auditor report

This is how the report looks like (or looked like in case of Chrome):

{
  "xss-report": {
    "request-url": "<URL>",
    "request-body": "<post data, if any>"
  }
}

XSS Auditor reports

The X-XSS-Protection response header:

Example XSS Auditor report

The `X-XSS-Protection` response header: