Aug 30, 2008

IE8 XSS filter

Since IE8 beta2 is out I downloaded and installed it, I wanted to take a look at the brand new XSS filter (See here*1). Basically I wanted to see how good it's at filtering XSS, I tried some tricks and it seems to work fine filtering all known XSS attack vectors, etc. So far very good work of MS people.

After continuing testing the XSS filter I got a bit disappointed.

When exploiting reflected XSS it's needed user interaction, the target user has to browse to a URL, it could be attacker's site that will load a hidden HTML IFrame exploiting the XSS issue without the target user noticing it or the URL could be directly crafted with the XSS attack for the tartget site, both scenarios require user interaction, I call this 1 stage XSS attack since the attack takes place just after the user browses to the URL. This scenario seems to be perfectly handled and filtered by IE8 XSS filter.

What about a 2 stage XSS attack?
A 2 stage XSS attack is when the user has to browse to a second URL after browing the initial URL for the XSS attack to take place, people may think that this attack is compliated and not reliable but it's simple and very realiable and has almost the same success rate as 1 stage XSS attack since people want to get what they were looking when browsing to the first URL they will continue browsing most of the time.

Let's see an example: the target user is supplied with a URL by the attacker, the user browses to this URL and instead of directly exploiting XSS to run code it will be exploited injecting HTML code (no script code no IE8 XSS filtering) to modify the HTML web page adding a link in a way that will persuade the user to click to continue to get what the target user (victim) wanted to get when he first browsed to the URL, after the user clicks a new URL will be opened by IE and this time the XSS attack will take place running code and take over the user session, etc.

You are wondering why a 2 stage XSS attack? well, simple because IE8 XSS filter doesn't filter XSS attacks when browsing from the same site (See here*2). That's it.

Sample:

The following URL won't be filtered by IE8:
http://somesite/test.asp?param=<a href="test.asp?param=<sc%0aript>alert('owned')</script>"><div style="position: absolute; left: 0px; top: 0px; height: 1000px; width: 1000px; padding: 1em;background:black;text-align: center;">click to continue</div></a>

After browsing the above URL and clicking on the web page the following URL will be loaded:
http://somesite/test.asp?param=<script>alert('owned')</script>

because the navigation comes from same domain IE8 won't filter the XSS attack.

Talking about this with kuza55 (http://kuza55.blogspot.com/) he found this same stuff independently and he had the good idea of using CSS overlays (http://www.sirdarckcat.net/asdfg.html) to trick the user into clicking the link.

Conclusion: Currently IE8 XSS filter doesn't provide much more security. IE8 XSS filter should also filter 2 stage XSS attacks. Luckily IE8 is just in beta, it's a long way for the final release version, I'm sure MS will improve it.