Hi Giorgio Maone,
That is all understandable and is quite reassuring, so the protection of NoScript is completely full proof in these respects, and having Firekeeper there is just educational so that it will keep the browser user alert to what rules are eventually triggered.
I think it is never a bad thing for the security savvy user to be aware what is going on on the browser. I keep an eye on the error console and if something crops up I will report here off course.
The firekeeper rules against XXS exploits is as follows:
Code: Select all
#Rules to detect cross site scripting attacks
####Created by Thomas Kilgore
# javascript: uri schemes in GET requests
alert(url_content:"javascript:"; nocase; msg:"javascript: GET request cross site scripting attempt"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"mocha:"; nocase; msg:"mocha: GET request cross site scripting attempt"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"livescript:"; nocase; msg:"livescript: GET request cross site scripting attempt"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
# normalish html tags using %3C and %3E in GET requests
alert(url_content:"%3CSCRIPT"; nocase; msg:"<script> tags GET request cross site scripting attempt"; url_re:"/%3Cscript.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3CIMG"; nocase; msg:"<img> tags GET request cross site scripting attempt"; url_re:"/%3Cimg.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Ciframe"; nocase; msg:"<iframe> tags GET request cross site scripting attempt"; url_re:"/%3Ciframe.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Ciframe"; nocase; msg:"malformed <iframe< tags GET request cross site scripting attempt"; url_re:"/%3Ciframe.*%3C/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cbody"; nocase; msg:"<body> tags GET request cross site scripting attempt"; url_re:"/%3Cbody.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3CINPUT"; nocase; msg:"<input> tags GET request cross site scripting attempt"; url_re:"/%3CINPUT.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3CBGSOUND"; nocase; msg:"<bgsound> tags GET request cross site scripting attempt"; url_re:"/%3CBGSOUND.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3CBR"; nocase; msg:"<br> tags GET request cross site scripting attempt"; url_re:"/%3Cbr.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Clayer"; nocase; msg:"<layer> tags GET request cross site scripting attempt"; url_re:"/%3Clayer.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Clink"; nocase; msg:"<link> tags GET request cross site scripting attempt"; url_re:"/%3Clink.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cstyle"; nocase; msg:"<style> tags GET request cross site scripting attempt"; url_re:"/%3Cstyle.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cmeta"; nocase; msg:"<meta> tags GET request cross site scripting attempt"; url_re:"/%3Cmeta.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cframe"; nocase; msg:"<frame> tags GET request cross site scripting attempt"; url_re:"/%3Cframe.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Ctable"; nocase; msg:"<table> tags GET request cross site scripting attempt"; url_re:"/%3Ctable.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cdiv"; nocase; msg:"<div> tags GET request cross site scripting attempt"; url_re:"/%3Cdiv.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Ctd"; nocase; msg:"<td> tags GET request cross site scripting attempt"; url_re:"/%3Ctd.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Ca"; nocase; msg:"<a> tags GET request cross site scripting attempt"; url_re:"/%3Ca.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cbase"; nocase; msg:"<base> tags GET request cross site scripting attempt"; url_re:"/%3Cbase.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cobject"; nocase; msg:"<object> tags GET request cross site scripting attempt"; url_re:"/%3Cobject.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Capplet"; nocase; msg:"<applet> tags GET request cross site scripting attempt"; url_re:"/%3Capplet.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cembed"; nocase; msg:"<embed> tags GET request cross site scripting attempt"; url_re:"/%3Cembed.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cxml"; nocase; msg:"<xml> tags GET request cross site scripting attempt"; url_re:"/%3Cxml.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cspan"; nocase; msg:"<span> tags GET request cross site scripting attempt"; url_re:"/%3Cspan.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Chtml"; nocase; msg:"<html> tags GET request cross site scripting attempt"; url_re:"/%3Chtml*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Ct:set"; nocase; msg:"<t:set> tags GET request cross site scripting attempt"; url_re:"/%3Ct:set*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
# suspicious HTML-looking input.
alert(url_content:"%3C"; url_content:"%22"; url_content:"%3E"; msg:"Suspicious looking GET request containing %3C, %3E, and %22. Suspiciously HTML-like."; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3C"; url_content:"%2F"; url_content:"%3E"; msg:"Suspicious looking GET request containing %3C, %3E, and %2F. Suspiciously HTML-like."; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3C"; url_content:"'"; url_content:"%3E"; msg:"Suspicious looking GET request containing %3C, %3E, and '. Suspiciously HTML-like."; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
# IE hax.
alert (msg:"smuggling Javascript inside an image"; headers_content:"image"; nocase; headers_re:"/^Content-Type.*image/mi"; body_re:"/<script/i";)
####
Why there is not a specific one just for Firefox?
Furthermore, many, many thanks for your detailed explanation of the facts,
luntrus