Recent

IE8 XSS Filter bypasses

When Microsoft launched their new Internet Explorer (IE) 8 browser in March of this year, it boasted a new security feature which filtered malicious scripting code to prevent reflected type 1 XSS attacks known as the ‘XSS Filter’.


Cesar Cerrudo, while IE8 was still in BETA found a way to bypass the filter by using a ’2 stage XSS attack’:

A 2 stage XSS attack is when the user has to browse to a second URL after browing the initial URL for the XSS attack to take place, people may think that this attack is compliated and not reliable but it’s simple and very realiable and has almost the same success rate as 1 stage XSS attack since people want to get what they were looking when browsing to the first URL they will continue browsing most of the time.


Here is a screenshot from a test against DVWA using the 2 stage attack payload which he provides on his blog:


reflected_xss2


As you can see I was using the latest IE8 at the time on a fully patched Windows Vista box with the filter enabled:
IE8_XSS_Filter_EnabledFully_Patched_IE8windows_update


Here is another bypass using a different payload:
reflected_xss


Microsoft have taken a great step forward in actively protecting their customers against XSS attacks and I believe that in part they have, however the XSS Filter still has a lot of room for improvement. There are other known bypasses against the filter which can be found in the reference list below along with other sources of information.


References:
http://en.wikipedia.org/wiki/Internet_Explorer_8
http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx
http://nomoreroot.blogspot.com/2008/08/ie8-xss-filter.html
http://kuza55.blogspot.com/2008/09/ie8-xss-filter.html
http://www.80sec.com/ie8-security-alert.html

Posted on 20 November, 2009 by admin

Leave a Reply