MCPcopy Index your code
hub / github.com/0xSobky/XSSBuster

github.com/0xSobky/XSSBuster @v1.1.3

Chat with this repo
repository ↗ · DeepWiki ↗ · release v1.1.3 ↗ · + Follow
137 symbols 332 edges 4 files 6 documented · 4%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

XSSBuster

XSSB is a proactive DOM sanitizer, defending against client-side injection attacks.

The Problem:

With every unaudited third-party JS library you include into your DOM, the risk of accidental DOM-based cross-site-scripting issues rises linearly. It being for advertisement, web analytics, social widgets, et al., all sorts of third-party code is susceptible to injection attacks.

Examples of this are: * http://www.troyhunt.com/2015/07/how-i-got-xssd-by-my-ad-network.html * https://blogs.dropbox.com/tech/2015/09/csp-the-unexpected-eval/ * http://www.fuzzysecurity.com/tutorials/14.html * http://blog.mindedsecurity.com/2011/04/god-save-omniture-quine.html * https://hackerone.com/reports/125386#activity-888336

The Solution:

XSSB mainly utilizes taint checking to guard against accidental mistakes and poor security practices commonly employed by JS libraries that may lead to DOM-based XSS vulnerabilities.

So, basically, XSSB offers you the freedom to deploy any given third-party code into your DOM while at the same time covering your DOM's back!

Usage Instructions:

Simply place the script element of XSSBuster.js right before any other third-party scripts you include into your webpage(s), typically at the very top of the head tag:

<head>
    <title>Example</title>
    <script type="text/javascript" src="https://github.com/0xSobky/XSSBuster/raw/v1.1.3/XSSBuster.js"></script>
    <script type="text/javascript" src="https://github.com/0xSobky/XSSBuster/raw/v1.1.3/thirdParty-library.js"></script>
</head>

Notes:

  • Make sure to host XSSBuster.js on the same origin as the hosting webpage or use the "X-XSS-Protection: 0" HTTP header to guard against the potential abuse of browsers' integrated XSS auditors.
  • For the minified version, see XSSB-min.js.

Demo:

A live demo can be found at: https://xssb.herokuapp.com.

Performance:

Based on tests, XSSB only takes 10 milliseconds on average to do all required security checks besides the registration of a few necessary event listeners.

Compatibility:

XSSB is compatible with the latest versions of all major web browsers (Firefox, Chrome, IE, Edge, Safari, and Opera) as well as most legacy web browsers through fallback functionality.

Known Issues:

  • XSSB only allows for Basic Latin characters within the pathname, search query and hash of the hosting webpage's URL; that somewhat also applies to HTML5 messaging.... If your web application deals with a different set of characters, you may consider base64 encoding as a workaround.
  • XSSB overrides security-sensitive functions like eval in order to enforce taint checking. A side effect of this is that eval will behave more like jQuery's globalEval than the native implementation of eval in most web browsers.

Credits:

Core symbols most depended-on inside this repo

id
called by 26
test/QUnit/qunit-git.js
escapeText
called by 19
test/QUnit/qunit-git.js
isSafeArg
called by 16
src/XSSB-min.js
isSafeArg
called by 16
src/XSSBuster.js
sourceFromStacktrace
called by 12
test/QUnit/qunit-git.js
sanitize
called by 11
src/XSSB-min.js
sanitize
called by 11
src/XSSBuster.js
runLoggingCallbacks
called by 9
test/QUnit/qunit-git.js

Shape

Function 137

Languages

TypeScript100%

Modules by API surface

test/QUnit/qunit-git.js79 symbols
src/XSSBuster.js27 symbols
src/XSSB-min.js27 symbols
test/tests.js4 symbols

For agents

$ claude mcp add XSSBuster \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact