Thursday, April 15, 2010

IE8 XSS Bypass - BlackHat Europe Slides

IE8 and the anti-XSS control has been discussed in several articles and recent posts (here, here and here). The researchers that discovered the XSS issue in the anti-XSS control (ironic huh) presented at Blackhat and the slides are below.

The gist of the issue is that a flaw in the anti-xss control introduce XSS into otherwise safe sites.  Needless to say, this is really bad.

[pics from presenter's slides]






This issue has been fixed by a Microsoft patch. So although there is an attack vector against vulnerable users, this would include people that have upgraded to IE8 but haven't applied recent patches.  I would guess this is not a large number (no data to back that up).

However, the issue does raise a bigger issue, the blacklist approach and sanitation performed by IE8's XSS could introduce XSS vulnerabilities into an otherwise safe site.  That is a scary scenario. As the presenters put it, you shouldn't necessarily disable the XSS protection, but you should be ready to disable if a 0-day against the XSS filter is released.


Slides from the event


A little further analysis on one of the above examples:

I looked into the Wikipedia example. The url is as follows (this will fire in a vulnerable version of IE8)

http://en.wikipedia.org/w/index.php?title=Cross-site_scripting&oldid=312565384&foo="/wiki/File:Wikipedesketch1.png"class="image"><img alt=

This plays off of the already present code in the wiki which looks like this:

<div class="thumbinner" style="width:222px;"><a href="/wiki/File:Wikipedesketch1.png" class="image"><img alt="x onerror=alert(1) onload=alert(2) y"src="http://upload.wikimedia.org/wikipedia/commons/thumb/d/d4/Wikipedesketch1.png/220px-Wikipedesketch1.png" width="220" height="224" class="thumbimage" /></a>

The anti-xss filter regex fires on the URL and modifies the response. The modified response then changes from benign text to malicious XSS and hence the alert(2) fires.  Interesting stuff. See the presentation for a more in depth description.


-Michael Coates

1 comment:

Note: Only a member of this blog may post a comment.