Welcome to the noXSS project

Description

noXSS is a Firefox extension that protects against reflective XSS. It is based on a technology proposed by Martin Johns, Joachim Posegga and Björn Engelmann.

The actual implementation was done by Jeremias Reith. Details on it can be found here.

Releases

The last public release is available on addons.mozilla.org.

Design Goals

  • Detection of reflective and most DOM based XSS
  • Ease of use
    • Should be an "install and forget" extension
    • False positive rate should be near zero
    • Should be unobtrusive until a XSS attack is detected
    • Main target audience are people who do not even know what XSS is
  • Should work with the official Firefox release (i.e. no patching)
  • Should not slow down the browser considerably
  • Should not break existing web pages
  • Developer mode where everything is scanned

Current Limitations

There is still a lot of work to do before noXSS can match NoScript's XSS Filter in practice. But we are confident that noXSS we will be able to offer comparable protection while maintaining a smaller false positive rate once the following things are done:

  • Full frame support (#2)
  • Scanning of POST data and relevant headers (#11)
  • Sub sequence matching (#3)
  • Emulation of SpiderMonkey's new line handling and code transformations (#14, #24)
  • Cross Site Data Tainting (#8)
  • Scanning HTML for markup injection (#33)

License

noXSS is licensed under the MPL/GPL/LGPL triple license which is the same license as Mozilla's Firefox is distributed with.

Source code

The full source code will be available via Subversion as soon as Jeremias Reith's master thesis about this extension is finished.