Microsoft's web browsers, Internet Explorer and Edge, have a feature called 'XSS filter' built in which protects users from XSS attacks. In order to deny XSS attacks, XSS filter looks into the request for a string resembling an XSS attack, compares it with the page and finds the appearance of it, and rewrites parts of the string if it appears in the page. This rewriting process of the string - is this done safely? The answer is no. This time, I have found a way to exploit XSS filter not to protect a web page, but to create an XSS vulnerability on a web page that is completely sane and free of XSS vulnerability. In this talk, I will describe technical details about possibilities of XSS attacks exploiting XSS filter and propose what website administrators should do to face this XSS filter nightmare.
9. XSS Filter
Chrome and Safari have the same function.
➡This time, I pick up IE's filter.
It was introduced from IE8.(2009)
10. Basic of XSS filter of IE
http://example.com/?q=<img+src=x+onerror=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
</head>
<body>
q param is: <img src=x onerror=alert(1)>
</body>
</html>
Before cut-off
If request and response are matched with
dangerous condition, XSS filter rewrites a page.
11. Like this #
http://example.com/?q=<img+src=x+onerror=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
</head>
<body>
q param is: <img src=x #nerror=alert(1)>
</body>
</html>
If request and response are matched with
dangerous condition, XSS filter rewrites a page.
After cut-off
12. Inaccuracy of XSS Filter
If matched with the condition, XSS filter
rewrites a string unrelated to part of a
dynamic creation of user input.
http://example.com/?q=AAA&<meta+charset=
<!DOCTYPE html>
<html>
<head>
<m#ta charset="utf-8">
</head>
<body>
q param is: AAA
</body>
</html>
13. World of after introduction
of XSS filter
All site suddenly had the possibility of
partial rewrite of a page.
#
#
#
2008 2009
14. About little change
Is it no big deal?
➡Let’s think about changing
1 byte at somewhere!
#
#
#
48. Basically,
Even 1 byte of change is risk.
In the past,
If you don't do careful, Rewrite of
XSS filter also becomes vulnerable.
https://media.blackhat.com/bh-eu-10/presentations/Lindsay_Nava/BlackHat-EU-
2010-Lindsay-Nava-IE8-XSS-Filters-slides.pdf
Universal XSS via IE8s XSS Filters
Eduardo Vela Nava & David Lindsay
49. 2015: Is it safe at now?
Let’s see
how much real cut-off rule is!
I found XSS vulnerable patterns page
of normal structure which has no XSS
It is safe…no, it doesn't!
Apart from it this
This case will publish after modify.
50. Cut-off Rule
It isn't documented in particular.
We can see the loading binary to browser of dll
include regular expression of cut-off strings.
58. I want you to feel it
Safety of your site is depend on XSS filter.
➡Is it browser's bug?
Should browser do something about it?
I can not say rewrite of page is always safe.
59. From the first, your page is
Can you declare your site that can
stand up to partial breakdown?
60. XSS filter can do this
XSS filter very carefully rewrites a page.
#
61. In fact
In some case, it is possible to
not operate specific function
from intentional false positive.
(…)
Did the author of XSS filter
introduce XSS filter while
recognizing about the risks?
(or not) I’m interested a little
about it.
Mr. Terada's blog
http://d.hatena.ne.jp/teracc/2
0090622
Browser side introduced it, knowing the risk.
Mr. Terada and Mr. Hasegawa's log at 6 years ago is as follows:
63. What is
"taking care of the risk"?
✔ you should completely grasp XSS filter's cut-
off action.
✔ If the part of the page is rewritten, you should
inspect all page for normal operation and safety.
✔ If the page includes dangerous part, you
should rewrite the code one by one for
avoidance.
Then, you should do as follows:
Can you do those?
68. If you can do those,
✔ you should completely grasp XSS filter's cut-
off action.
✔ If the part of the page is rewritten, you should
inspect all page for normal operation and safety.
✔ If the page includes dangerous part, you
should rewrite the code one by one for
avoidance.
I think you can modify all XSS on your site...
➡What is the best?
74. The choice which
considered more safety
Value Sites which should choose header
0
They are measuring basic XSS.
/They want to remove false-negative.
1
Not recommended
(Discovered technique affects here.)
1;mode
=block
It is probable that the site have XSS.
/They want to protect site just in case.
default
X-XSS-Protection:0 or 1;mode=block
75. Is mode=block safe?
It should don't affect direct script execution.
I think a favor of the filter is bigger than it.
If feature of cut-off can detect from outside,
they may guess page contents.
This possibility probably can't be changes
to zero.
On the other hand…
77. Comments for Web
developer
How about changing to
1;mode=block?
Cut-off explanation is unkind,
It is difficult when user support
of false-negative…
Dev
Me
79. I think this site is measuring basic XSS,
Would you like to use X-XSS-Protection:0?
Me
Comments for Web
developer
80. I think this site is measuring basic XSS,
Would you like to use X-XSS-Protection:0?
Me
User may think about setting of
infelicity security function with
highly priority of product action.
Dev
Comments for Web
developer
81. Trap of XSS filter
XSS filter cut off only attacked position then it
shows other position, it seems like the smartest.
0 1 block
This action is the risk.
82. Conclusions
I'm hoping for improvement of XSS filter.
It should still be possible to do safely.
Is present default action really OK?
In theory, cut-off risk is inseparable from
XSS filter.
I want web developer to know this possibility.
I highly recommend XSS protection control
except default action.