So, it appears IE8 introduced a brand new XSS protection mechanism. It apparently does so by inspecting javascript resources and modifying them before execution.
So long, so good?
Well... apparently, the "filter" is quite overzealous, and actually triggers a lot of false positives, impairing websites and legit javascript uses.
Fortunately for us, the boys anticipated their new feature to be broken, and provided a mean for everybody to actually bypass it.
Meet the "X-XSS-Protection: 0" HTTP header. Send it along your resource, and voilĂ , IE8 XSS Filter is now disabled.
From which you may obviously deduce that it's also that easy for Mr. EvilMan to workaround the "protection"...
By the way, all google websites I've checked do disable it already :-).
Same old web.
Sources:
http://michael-coates.blogspot.com/2009/07/ie-8-anti-xss-bit-overblown.html
http://msdn.microsoft.com/en-us/library/dd565647%28VS.85%29.aspx
Comments
#1
Eric
Friday, November 6 2009, 16:50
Mmmhmmm... And how exactly does "Mr. EvilMan" opt-out the victim site? Hint: He can't.
The opt-out header is there for sites that are already doing their own XSS Filtration on the server-side (like Google).
#2
David Ross
Friday, November 6 2009, 20:03
Olivier,
You may want to take a look at my response in the comments section of Michael's blog.
For reference, the filter's design philosophy is documented here:
http://blogs.msdn.com/dross/archive...
Architecture / Implementation:
http://blogs.technet.com/srd/archiv...
If you have feedback or questions on the filter please don't hesitate to contact me:
http://blogs.msdn.com/dross/contact...
#3
Laurentj
Monday, November 9 2009, 09:59
A response here : http://blog.zoomodev.com/post/2009/...
#4
loan
Saturday, July 24 2010, 21:20
According to my own exploration, billions of persons on our planet receive the business loans at well known banks. Thus, there is good possibilities to find a secured loan in all countries.