↩ Back Reports

XSS Auditor reports

Designed to help stop Reflected Cross-Site Scripting (XSS) attacks but often exploited to extract information from pages. Introduced in Internet Explorer 8 back in 2009 as XSS Filter and in Chrome 4 in 2010, controlled by the X-XSS-Protection HTTP header. The feature was completely removed in Chrome 78 and in Microsoft Edge in 2018. It currently works in Safari and WebKit-based browsers (any browser on iOS) only.

The X-XSS-Protection response header:

X-XSS-Protection: 1; report=https://mackey.has.report/report.php

There's some JavaScript on this page, and hitting the button below will send the same JavaScript in the request. Now, browser sees a request with some code, then the same code comes back in the response, so this must be the Reflected XSS attack! The browser has no idea the code is always there and it's not in fact a Reflected XSS attack but will block it anyway.

show the code ▼

Example XSS Auditor report

This is how the report looks like (or looked like in case of Chrome):

  "xss-report": {
    "request-url": "<URL>",
    "request-body": "<post data, if any>"