Best IT Recipes

IE8 XSS Filter: What Does It Really Do?

Internet Explorer 8 has a new security feature, the XSS filter , which attempts to intercept cross-site scripting attempts. This is described as follows:

The XSS filter, new to Internet Explorer 8, detects JavaScript in POST URLs and HTTP messages. If JavaScript is detected, the XSS filter looks for evidence of reflection, information that will be returned to the attacking website if the attack request was sent unchanged. If reflection is detected, the XSS filter clears the original request so that additional JavaScript cannot be executed.

I find that the XSS filter is triggered even when there is no "evidence of reflection", and I start to think that the filter just notices when the request is sent to another site and the response contains JavaScript.

But even this is difficult to verify, because the effect seems to be coming and going. IE has different zones, and when I think I reproduced the problem, the filter no longer kicks, and I don't know why.

Anyone have any tips on how to deal with this? What is the filter really looking for? Is there a way for a good guy to get POST data on a third-party site that can return HTML to display in an iframe and not trigger a filter?

Reference Information. I download the JavaScript library from a third-party site. This JavaScript collects some data from the current HTML page and sends it to a third-party site that responds with some HTML code displayed in the iframe. To see it in action, go to the page

+43
internet-explorer-8 xss
Jan 12 '10 at 19:12
source share
3 answers

What is it really? This allows third parties to link to a damaged version of your site.

It fires when [several conditions are met, and] he sees a line in the query view, which also exists verbatim on the page and which, in her opinion, can be dangerous.

It is assumed that if <script>something()</script> exists both in the query string and in the page code, then this should be because your server side of the script is unsafe and reflects this string directly as markup without escaping.

But, of course, in addition to the fact that this is a completely correct request that someone could type, matching by coincidence, it is also so close that they match because someone looked at the page and intentionally copied part of it. For example:

http://www.bing.com/search?q=%3Cscript+type%3D%22text%2Fjavascript%22%3E

Follow this in IE8, and I successfully sabotaged your Bing page so that it would give script errors and pop-up output bits would not work. Essentially, this gives the attacker whose link is licensed to select and disable parts of the page that he does not like, and this may include other security-related measures, such as framebuster scripts.

What does IE8 consider "potentially dangerous? It is much bigger and much weirder than this script tag. For example . Moreover, it seems to correspond to a set of" dangerous templates "using a system of text templates (presumably a regular expression) instead of any kind of HTML parser, such like the one that ultimately parses the page Yes, use IE8 and your browser pař paing HT ̈́͜ ML w ̧̼̜ it ̏̔ h ͙r̿e ̴̬ g ̉̆ e͎x ͍͔̑̃̽̚.

'XSS protection by viewing rows in a request is completely fake . It cannot be “fixed; the concept itself is mistaken in essence. Besides the problem of logging into the system when it is not needed, it can never protect you from everything except the simplest attacks, and attackers are likely to manage such blocks as IE8 will become more be widely used. If you forget to forget your HTML output, you will still be vulnerable; all XSS "protection" may offer you a false sense of security. Unfortunately, Microsoft seems to like this false sense of security; there is a similar "protection in ASP.NET "XSS, server side.

So, if you have the key to creating webapp authoring, and you have correctly selected HTML output as a good boy, it would definitely be nice to disable this unwanted, inoperable, incorrect intrusion by displaying the header:

 X-XSS-Protection: 0

in your HTTP responses. (And using ValidateRequest="false" on your pages if you are using ASP.NET.)

For everyone else who is still building strings together in PHP without worrying about proper coding ... well, you can leave it as well. Do not expect it to really protect your users, but your site is already broken, so who cares if it breaks a little more, right?

To see it in action, go to the AOL Food page and click the Print icon just above the story.

Oh yes, I see this violation in IE8. It’s not immediately clear where IE did hack the content, which stopped its execution, though ... the only cross-domain request I see that the candidate for the XSS filter is http://h30405.www3.hp.com/print/start :

 POST /print/start HTTP/1.1 Host: h30405.www3.hp.com Referer: http://recipe.aol.com/recipe/oatmeal-butter-cookies/142275? csrfmiddlewaretoken=undefined&characterset=utf-8&location=http%253A%2F%2Frecipe.aol.com%2Frecipe%2Foatmeal-butter-cookies%2F142275&template=recipe&blocks=Dd%3Do%7Efsp%7E%7B%3D%25%3F%3D%3C%28%2B.%2F%2C%28%3D3%3F%3D%7Dsp%7Ct@kfoz%3D%25%3F%3D%7E%7C%7Czqk%7Cpspm%3Db3%3Fd%3Do%7Efsp%7E%7B%3D%25%3F%3D%3C%7D%2F%27%2B%2C.%3D3%3F%3D%7Dsp%7Ct@kfoz%3D%25%3F%3D%7E%7C%7Czqk...

that the blocks parameter continues with pages more gibberish. Presumably, there is something that (coincidentally?) Is reflected in the returned HTML and runs one of IE8's tainted ideas about what the XSS exploit looks like.

To fix this, HP needs to make a server on h30405.www3.hp.com, include the X-XSS-Protection: 0 header X-XSS-Protection: 0 .

+54
Jan 12 '10 at 20:40
source share

You should send me (ericlaw @microsoft) a network capture (www.fiddlercap.com) of a script that you think is incorrect.

The XSS filter works as follows:

  • Is XSSFILTER enabled for this process?
    If yes, proceed to the next check. If not, bypass the XSS filter and continue loading.
  • Is loading a “document” (like a frame, not a subtitle)? If yes, proceed to the next check. If not, bypass the XSS filter and continue loading.
  • Is this an HTTP / HTTPS request? If yes, proceed to the next check. If not, bypass the XSS filter and continue loading.
  • Does RESPONSE include the x-xss security header? Yes: Value = 1: XSS filter enabled (no urlaction check) Value = 0: XSS filter disabled (no urlaction check) No: go to the next check.
  • Is site loading in a zone where URLAction allows XSS filtering? (Default: Internet, Reliable, Limited) If yes, proceed to the next check. If not, bypass the XSS filter and continue downloading.
  • Is this a cross site request? (Referrer header: does the final (post-redirected) domain name in the header of the HTTP request referrer match the fully qualified domain name of the returned URL?) If yes, bypass the XSS filter and continue loading If not, then the URL in the request must be neutered.
  • Does the heuristic indication of RESPONSE data indicate insecure request data? If yes, change the answer.

Now the exact details # 7 are pretty complicated, but basically you can imagine that IE is matching the request data (URL / Post Body) with the response data (script body), and if they match, then the response data will be changed.

In the case of your site, you will want to look at the POST body at http://h30405.www3.hp.com/print/start and the corresponding answer.

+25
Jan 12 '10 at 19:39
source share

This is actually worse than it might seem. The XSS filter can make secure sites insecure. Read here: http://www.h-online.com/security/news/item/Security-feature-of-Internet-Explorer-8-unsafe-868837.html

From this article:

However, Google disables the IE XSS filter by sending the X-XSS-Protection: 0 header, which makes it immune.

I don’t know enough about your site to judge if this might be the solution, but you can probably try. In more detail, the technical discussion of the filter and you can disable it here: http://michael-coates.blogspot.com/2009/11/ie8-xss-filter-bug.html

+7
Jan 12 '10 at 19:17
source share


More articles:


All Articles