IE8 XSS Protection
While testing a cross site scripting vulnerability I ran into an interesting feature in Internet Explorer 8, the Cross Site Scripting filter. I was surprised when the browser popped up this message: “Internet Explorer has modified this page to help prevent cross-site scripting.†This really intrigued me, so I started looking at the source of the page. The first thing I noticed was that the browser had modified my page and replaced the first character in my script with a ‘#’ character. Here is the query string I had passed to the page:
?id=’ onClick=’alert(“hiâ€);’ title=’
The id parameter gets written as an attribute to a link tag. The expected result would be that my link tag would end up looking like this:
<a href=â€â€ id=’’ onClick=’alert(“hiâ€);’ title=’’>
This output would create an alert message when a user clicked on the link. This obviously doesn’t do anything spectacular, but it is a simple test when testing XSS. I am happy to see that Microsoft is taking steps to help protect users from this type of attack. Most users do not take a close look at the url that they are clicking much past the domain name. Although this does not provide full protection against cross-site scripting attacks, it is another layer for the attacker to have to fight through.
I did a few quick tests and found some interesting side effects of this filter. I will include that information after I get a chance to do a little more testing.