Windows_Security

Level 23
Verified
Trusted
Content Creator
I have tested Netcraft XSS few years ago. Chrome was testing its new (at that time) same origin policy and offered some tests to go with. The XSS protection of Netcraft did quite well.

I guess it is based on text patterns and command sequences which indicate client side injected scripts (making makes them first party so you would need to block all scripts to be protected not just third-party).
 

HarborFront

Level 46
Verified
Content Creator
I have tested Netcraft XSS few years ago. Chrome was testing its new (at that time) same origin policy and offered some tests to go with. The XSS protection of Netcraft did quite well.

I guess it is based on text patterns and command sequences which indicate client side injected scripts (making makes them first party so you would need to block all scripts to be protected not just third-party).
Do you know what type(s) of XSS is Netcraft protecting against?

1) Stored XSS
2) Reflected XSS
3) DOM based XSS

NoScript for FF protects against 2) and 3) only. FF protects against 2) only. Chrome no longer protects against XSS
 
Last edited:

shmu26

Level 83
Verified
Trusted
Content Creator
Yesterday I was trying to order a flight online and I was signing into various booking sites and airline sites. I got stopped in my tracks by the new Netcraft. I couldn't enter my login credentials into one of the sites. So yes, it works. But maybe it works too well. Either that, or it was an infected site.
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
Do you know what type(s) of XSS is Netcraft protecting against?

1) Stored XSS
2) Reflected XSS
3) DOM based XSS

NoScript for FF protects against 2) and 3) only. FF protects against 2) only. Chrome no longer protects against XSS
Don't know, do I recall correctly that no client based protection is possible against 1 (because Stored XSS are injected on the server of website or webapplication itself)?
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
Yesterday I was trying to order a flight online and I was signing into various booking sites and airline sites. I got stopped in my tracks by the new Netcraft. I couldn't enter my login credentials into one of the sites. So yes, it works. But maybe it works too well. Either that, or it was an infected site.
Or Netcraft tries to read out what content management, SQL, PHP software version the website is using and when one of the software versions have a critical vulnerability listed it simply blocks it?
 

Burrito

Level 20
Verified
Yesterday I was trying to order a flight online and I was signing into various booking sites and airline sites. I got stopped in my tracks by the new Netcraft. I couldn't enter my login credentials into one of the sites. So yes, it works. But maybe it works too well. Either that, or it was an infected site.
Yeah, this happened to me as well.

Not with a travel site, but another site that required keyboard input.

It was frustrating as I played with all sorts of security applications that could have caused it... I didn't suspect Netcraft as it never interfered with anything.

Finally, I figured it out..

this extension is really very good. (y)

View attachment 224597
Good to know that Netcraft is doing something. I've used it for a long time... it's never actually blocked anything. But I have a lot of 'stuff' on my computer -- it maybe was always beat to the punch by something else.
 

ebocious

Level 4
It may seem contradictory that a default-deny proponent such as myself would be disinterested in a default-deny script blocker for the browser, but there it is. While I only install new apps and updates once or twice a week, I probably surf a couple hundred websites in a day. NoScript is a no-no for me.

Malwarebytes Browser Guard may be a bit heavy on resources and prone to false positives, but it doesn't grind my surfing to a halt. I think I have decent coverage between MBBG, TrafficLight, and Windows Defender Browser Protection for dealing with zero-day threats. Anything that gets through them and the sandbox then has to deal with AppGuard or Cruel Comodo (except on the Macs, which are hardened and protected with a few apps from Objective-See).
 
  • Like
Reactions: Gandalf_The_Grey