XSS Hunter: Using XSS Auditor For ¹­Âç¤Ê¡¿Â¿¿ô¤Î¡¿½ÅÍ×¤Ê Good

discussion: Hacker News, reddit
What is XSS Auditor?
It's a built in chrome(and IE) Æ»¶ñ, switched on by default(you can »ÙÇۡʤ¹¤ë¡Ë¡¿ÅýÀ©¤¹¤ë it with X-XSS-Êݸî header, either 0;, 1; or 1;Éõº¿¤¹¤ë), which ¸¡ºº¡¿»ë»¡¤¹¤ës all request params and ÊÖÅú ÃÄÂΡ¿»àÂÎ trying to find if any of param ¸½ºß¤Î as malicious script inside of ÃÄÂΡ¿»àÂÎ. If it ¡Ê°­»ö¡¤ÈëÌ©¤Ê¤É¤ò¡Ëȯ¸«¤¹¤ës anything Ⱦüʪ - by default it just ½üµî¤¹¤ës it from HTML. It can lead to weird things..

First of all we will use it for some evil.
I am telling nothing new, but a trick from my previous ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë - slicing scripts and events you don't like in some page
You can ½üµî¤¹¤ë any event "on*", any javascript:... link and any <script> tag. Best Ūs: ³Îǧ¤¹¤ës(to make clickjacking easier) and framebuster scripts, sending them in request params(?½üµî=<script>remove_me();</script>). Without them life of hacker gets easier.

Don't touch my framebuster!
I created a neat trick to disallow such things to happen. Just put some ̵ºî°Ù¤Î code in your code(<script src="framebuster.js?<%=¥é¥ó¥É(1,9999)%>"></script>) - nobody knows how code looks in ÊÖÅú so it's impossible to 'ºï¸º¡Ê¤¹¤ë¡Ë' it off.

XSS Auditor is a ¶ìÄË in ass for scriptkiddies.
This is out of question. They just hate it. So let's use it even for greater good!
I wrote a ¥Ç¥â script which ¡Ê°­»ö¡¤ÈëÌ©¤Ê¤É¤ò¡Ëȯ¸«¤¹¤ës if XSS Auditor ½üµî¤¹¤ëd any ÃíÆþ¤¹¤ë and if it did - we ²ò¸Û¤¹¤ë¡¿Ë¤²Ð¡¿¼Í·â up ʸ½ñ.onxssprotection event(which will ÄÌÃΤ¹¤ë the ¹ÔÀ¯´±¡¿´ÉÍý¼Ô of website for example).

Don't touch my auditor of XSS Auditor!
And we don't want our XSS auditor ½üµî¤¹¤ëd either - so when you use it be sure to Îá¾õ src="auditor.js?RANDOM"

I like it more than any WAF - "native" ´Ä¶­ ¡Ê°­»ö¡¤ÈëÌ©¤Ê¤É¤ò¡Ëȯ¸«¤¹¤ës XSSes better than server Ì£Êý¤¹¤ë middlewares(take into account ¶ÈÀÓ¡¿À®²Ì too).

This code is rather ¥Ç¥â and may content bugs, I did not ¼Â¸³¡Ê¤¹¤ë¡Ë it in all browsers and IE. Feel ²òÊü¤¹¤ë¡¿¼«Í³¤Ê to Í¿¤¨¤ë¡¿Êû¤²¤ë.