IE8 XSS Protection

Posted by on December 3, 2009

While testing a cross site scripting vulnerability I ran into an interesting feature in Internet Explorer 8, the Cross Site Scripting filter.  I was surprised when the browser popped up this message: “Internet Explorer has modified this page to help prevent cross-site scripting.”  This really intrigued me, so I started looking at the source of the page.  The first thing I noticed was that the browser had modified my page and replaced the first character in my script with a ‘#’ character.  Here is the query string I had passed to the page:

?id=’ onClick=’alert(“hi”);’ title=’

The id parameter gets written as an attribute to a link tag.  The expected result would be that my link tag would end up looking like this:

<a href=”” id=’’ onClick=’alert(“hi”);’ title=’’>

This output would create an alert message when a user clicked on the link.  This obviously doesn’t do anything spectacular, but it is a simple test when testing XSS.  I am happy to see that Microsoft is taking steps to help protect users from this type of attack.  Most users do not take a close look at the url that they are clicking much past the domain name.  Although this does not provide full protection against cross-site scripting attacks, it is another layer for the attacker to have to fight through. 

I did a few quick tests and found some interesting side effects of this filter.  I will include that information after I get a chance to do a little more testing. 


Comments are closed.