Security gone awry: IE 8 XSS filter exposes sites to XSS attacks | Zero Day | ZDNet.com
The cross-site scripting filter that ships with Microsoft’s Internet Explorer 8 browser can be abused by attackers to launch cross-site scripting attacks on websites and web pages that would otherwise be immune to this threat.
According to a presentation at this year’s Black Hat Europe conference, the issue introduces security problems at several high-profile websites, including Microsoft’s own Bing.com (screenshot), Google.com, Wikipedia.org, Twitter.com (screenshot) and just about any site that lets IE 8 users create profiles.
[ SEE: Anti-malware blocker, XSS protections coming in IE 8 ]
Microsoft added the anti-XSS feature in IE 8 last August to detect Type-1 (reflection) attacks that can lead to cookie theft, keystroke logging, Web site defacement and credentials theft. However, as the researchers discovered, Microsoft’s filters work by scanning outbound requests for string that may be malicious.
This is where the hiccup exists:
When such a string is detected, IE8 will dynamically generate a regular expression matching the outbound string. The browser then looks for the same pattern in responses from the server. If a match is made anywhere in the server’s response then the browser assumes that a reflected XSS attack is being conducted and the browser will automatically alter the response so that the XSS attack will be unsuccessful.
The exact method used to alter a server’s response is a crucial component in preventing XSS attacks. If the attack is not properly neutralized then a malicious script may stil execute. On the other hand, it is also crucial that benign requests are not accidentally detected.
The researchers figured out a way to use the IE 8’s altered response to conduct simple abuses and universal cross-site scripting attacks
The cross-site scripting filter that ships with Microsoft’s Internet Explorer 8 browser can be abused by attackers to launch cross-site scripting attacks on websites and web pages that would otherwise be immune to this threat.
According to a presentation at this year’s Black Hat Europe conference, the issue introduces security problems at several high-profile websites, including Microsoft’s own Bing.com (screenshot), Google.com, Wikipedia.org, Twitter.com (screenshot) and just about any site that lets IE 8 users create profiles.
[ SEE: Anti-malware blocker, XSS protections coming in IE 8 ]
Microsoft added the anti-XSS feature in IE 8 last August to detect Type-1 (reflection) attacks that can lead to cookie theft, keystroke logging, Web site defacement and credentials theft. However, as the researchers discovered, Microsoft’s filters work by scanning outbound requests for string that may be malicious.
This is where the hiccup exists:
When such a string is detected, IE8 will dynamically generate a regular expression matching the outbound string. The browser then looks for the same pattern in responses from the server. If a match is made anywhere in the server’s response then the browser assumes that a reflected XSS attack is being conducted and the browser will automatically alter the response so that the XSS attack will be unsuccessful.
The exact method used to alter a server’s response is a crucial component in preventing XSS attacks. If the attack is not properly neutralized then a malicious script may stil execute. On the other hand, it is also crucial that benign requests are not accidentally detected.
The researchers figured out a way to use the IE 8’s altered response to conduct simple abuses and universal cross-site scripting attacks
