XSS Auditor reports
Designed to help stop Reflected Cross-Site Scripting (XSS) attacks but often exploited to extract information from pages.
Introduced in Internet Explorer 8 back in 2009 as XSS Filter and in Chrome 4 in 2010, controlled by the X-XSS-Protection
HTTP header.
The feature was completely removed in Chrome 78
and in Microsoft Edge in 2018.
Apple removed XSS Auditor in Safari 15.4.
The X-XSS-Protection
response header:
X-XSS-Protection: 1; report=https://offal.has.report/report
1
: enable the auditorreport
: where to send the reports to
There's some JavaScript on this page, and hitting the button below will send the same JavaScript in the request. Now, browser sees a request with some code, then the same code comes back in the response, so this must be the Reflected XSS attack! The browser has no idea the code is always there and it's not in fact a Reflected XSS attack but will block it anyway.
<script>console.log('Send this to the page I dare you, I double dare you!');</script>
<form action="?auditor=triggered" method="post">
<input type="hidden" name="some" value="input">
<input type="hidden" name="trigger" value="<script>console.log('Send this to the page I dare you, I double dare you!');</script>">
<button disabled class="blocked disabled">Trigger the XSS Auditor</button>
<span class="not-supported">🍌 Not supported in your browser</span>
<small>but you can try <button>anyway</button></small>
</form>
- Would be blocked if supported by your browser, the JavaScript wouldn't run
- Would trigger a report in supported browsers
- Check your reports
Example XSS Auditor report
This is how the report looked like:
{
"xss-report": {
"request-url": "<URL>",
"request-body": "<post data, if any>"
}
}