Home > BlackHatEU, Conferences, Security > BlackHatEU : Universal XSS via IE8s XSS Filters

BlackHatEU : Universal XSS via IE8s XSS Filters

April 15th, 2010 Leave a comment Go to comments

By David Lindsay & Eduardo Vela NavaInternet Explorer

The talk is about abusing the anti-XSS filters built into IE8 to always be able to perform XSS.

Microsoft decided to implement anti-XSS measures in IE because XSS is so common. On the other hand the wanted to be careful not to break the web and to keep things performant and the solution itself had to be secure.

So how do these filters work?
•    Examine all outbound requests for XSS patterns using heuristics filters.
•    If something matches the filter a dynamic signature is generated
•    If the signature matches then the response is neutered.

The heuristic filters look for suspicious requests, e.g. parameters with <script> tags in them. The dynamic signature is then generated to take into account some forms of server transformations, but basically this looks if the same text is not returned as part of the web interface. If XSS is detected one character in the original text is replaced by a hash mark (#).

The presentation then gave a breakdown of typical heuristic signatures, they can all be found at http://p42.us/ie8xss/filters02.txt.

So one of the things the researchers found was that these filters can be bypassed. Regular expressions are not perfect and complex to write. Examples are at http://goo.gl/sour, and http://goo.gl/KVDI.

But even more fun is to turn the filters against themselves.

Because the filter is designed to filter out certain tags, it can be used to disable other script tags as well. This can be used to disable framebusters, block sandboxes and disable other javascript based security mechanism.

The XSS filters can also be used to alter the ‘=’ sign into a hash sign (#). Which can alter the entire meaning of certain HTML tags.

The XSS filters can be abused to malform (neuter) html tags. The onerror properties of these tagscan then be used to triggers scripts.

The way the XSS filter where built up allow the neutering of just about any = sign on a page.

So the attack has two stages: first you need to be able to insert text into an html name value pair. Then you need to trigger a fake XSS attack the will neuter the html name,value pair into activation.
Is this common? Yes it is. Bing, Twitter, Wiki’s Social networks. About 99% of the sites that matter are vulnerable.

If you want to try out the attack yourself, use a vulnerable version of IE8 and visit http://0x.lv/attr.php

How was this fixed?
Microsoft is no longer neutering the = sign

What can you do?
* Turn XSS filtering off
* Use a different browser
* Upgrade you browser after Microsoft fixes it.

Should you disable the filters? No, benefit outways the risks.

What if I run a website?
Microsoft allows websites to add a header that will opt you out of XSS filtering.
“X-XSS-Protection: 0″ or “X-XSS-Protection: 1; mode=block” which will not disable the protection, but will block the entire page from being rendered.

This issue was discovered and reported to Microsoft in September 2009 and was patch in Jauary 2010. Public disclosure was today.

So what about other browsers?
Firefox: NoScript (good), NoXSS (don’t use)
Webkit is developing XSSAuditor. It will respect the same control headers as IE8

Categories: BlackHatEU, Conferences, Security Tags: , , , , , , , , ,