2009-05-03 00:05:23

Mon, 20 Oct 08 19:44:55 -0600

Hats off To Internet Explorer 8.0!
(sort of)

IE8.0 beta (Download Here) Has taken a huge step forward in XSS protection, by adding XSS Filter. Essentially, it blocks active content defined in the url from activating, this is far from a complete protection as a few things seem missing, but its a huge step forward.

It seems to miss anything in the head section of the document. And I still need to do much further testing to determine how easily the filter is bypassed.
For example, at the moment, it seems putting the vector between <head> and </head> tags essentially neuters the filter.

It also leaves open for the very common </title>[evilcode] exploit

Embedded items don't seem to be blocked, nor do simple iframes. It does, however, block attribute injection, which was of my best exploits I worked out. It also appears to block anything with "javascript:" in a tag.


Even with all the Type 1 (non-persistent) holes available, its still a fairly good filter, and a sure step in the right direction. I have no doubt that similar extensions for FF and Opera will be available in no more than a few weeks.

On other fronts, it passed the ACID I and II tests, but got a whopping 12/100 on the ACID III (compared to Firefox's 70, and Google Chromes 73)

It is also slow as sludge. It can take 5 seconds for a BLANK page to load. They are still butchering web standards, and I still dislike them, but I am moved by their first jump on the XSS problem.

Although the exploits I show here work in some cases, other times they are caught. There seems to be little reason to why it only works in the simplest of cases, but we shall see.

Peace