InformAction Forums

Thrawn wrote:That's why we suggested using a separate profile. But yes, it's the bank's mistake.

Now this is confusing. I am using a seperate profile but as soon as I install NoScript and allow the website the problem occurs. Yes I could turn off the XSS feature and live happily ever after but I prefer to know what sites have XSS problems. Are you saying ABE is availabe outside of NoScript.

I'm saying that you could switch off the XSS filter in the bank-only profile, while using ABE to ensure that you can't open any other site. Feel free to periodically check on the bank in your regular profile to see whether they've picked up their game.

Thrawn wrote:Feel free to periodically check on the bank in your regular profile to see whether they've picked up their game.

Thanks that works fine. Much better. Having got used to using the bank profile old habits die hard. What are the chances of a passive feature that indicates the site has an XSS liability? I think it will be more by accident that I try to logon to Nationwide under the other profile but it would amount to a periodic check. I'll have a play around with the ABE language. Perhaps the script you gave could be formally documented as an example of ABE coding?

NS001 wrote:What are the chances of a passive feature that indicates the site has an XSS liability?

Low, bordering on nonexistent. The filter only fires on requests that look like actually XSS attempts. There isn't a reliable way to distinguish a real attack from a website design so poor that it looks like one.