Comments on: IE’s XSS Filter Creates XSS Vulnerabilities

By: Jess

Jess — Wed, 24 Feb 2010 23:51:35 +0000

As for me, I am using this tool for preventing XSS disasters:
http://xss-scanner.com

By: Tom T.

Tom T. — Fri, 27 Nov 2009 09:49:09 +0000

@ #14: My Arabic is a little more rusty than my German, but it looks like the headline is:

Technical magazine: Non-secure IE 8 across XSS as a means of protection against attacks

From the article:

"NoScript is in disagreement with the add-on in IE8.
It analyses answers server and not requests for users, which could be the attackers of manipulation of answers server and injection certain codes for its implementation, Giorgio Maone says.

"And who did not disclose the details of the matter is that the whole matter is based on an error in the basic design, which should be reconsidered in the design, Maone adds."

Pretty bad translation — I know people who could do better — but the bottom line comes out the same in any language. Looks like the whole world knows the story. :-)

By: Tech Thursday – Python and YQL, new Google layout, Quake in Flash and LOLSQL | Techno Portal

Thu, 26 Nov 2009 15:23:06 +0000

[…] Ironically a bug in Internet Explorer’s XSS filter allows to inject code into web sites. […]

By: وسيلة الحماية من هجمات XSS على Internet Explorer 8 غير آمنة | المجلة التقنية

Thu, 26 Nov 2009 09:38:30 +0000

[…] http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities/ Share and Enjoy: […]

By: Mr. Foo

Mr. Foo — Wed, 25 Nov 2009 11:24:31 +0000

XSS-Schutz des IE8 exploitbar

Der XSS-Schutz des IE8 bröckelt.Der neueingeführte Cross-Site-Scripting Schutz des Internet Explorer 8 lässt sich anscheinend aushebeln.
Gorgio (der Entwickler von NoScript) berichtet in einem Blogeintrag darüber.
Konkret liegt das Problem in der…

By: sirdarckcat

sirdarckcat — Wed, 25 Nov 2009 01:52:44 +0000

> Nope, a POST unsafe reload doesn’t break anything because the filtered request had been turned in a data-less GET and therefore did not modify webapp status.

I was refering to one time.. where the POST was stripped but the GET args were left, so it trigers an error (with the GET args) since there’s no POST data.. then if you do unsafe reload, it trigers an error since the nonce sent via GET was used before.

anyway, I only found that specific case on some openid service I was pentesting.. (against logic flaw errors, nothing to do with xss).. but well..

Greetz!

By: Giorgio

Giorgio — Tue, 24 Nov 2009 11:09:51 +0000

@sirdarckcat:

Thanks for your comment.

Yes, I was referring to “unsafe reload”.

break things (POST unsafe reloads for instance)

Nope, a POST unsafe reload doesn’t break anything because the filtered request had been turned in a data-less GET and therefore did not modify webapp status.

By: sirdarckcat

sirdarckcat — Tue, 24 Nov 2009 08:07:08 +0000

#9 @giorgio
thankz! thats a great ppt!!

regarding slide 16: user can disable the filter..

Anyway, mmm maybe you mean "unsafe reload" so then you are right.. that’s not possible..

I think webkit’s approach compared to IE’s is better (regarding compatibility) but IE is safer (actually, is the one with less bypasses so far.. evendo they did created security issues with the response rewriting approach..).. but NoScript request modification is known to either:
1.- break things (POST unsafe reloads for instance)
2.- hard to spot bugs (I wasnt used to check the error console before)

I would recommend you to allow the server to disable NoScript’s filter.. anyway, I dont have any good idea on how to do it.. =/

Said that.. great ppt again!! :)

Greetings!!

By: Giorgio

Giorgio — Mon, 23 Nov 2009 17:16:30 +0000

@sirdarckcat:
http://maone.net/downloads/OWASP-Italy_Day_IV_Maone.pdf

By: sirdarckcat

sirdarckcat — Mon, 23 Nov 2009 11:30:50 +0000

Hey could you upload your ppt? the owasp site fails..