IE8 XSS Filter Bypass

Vulnerability Description: IE8 is a new browser launched by Microsoft. It fully supports css2.1, HTML5, and built-in development tools. IE8 has greatly improved the security of browsers. It has a built-in XSS filter that cannot be detached, providing better protection against non-persistent cross-site scripting attacks. However, when testing IE8, 80sec found that the IE8 XSS filter has a vulnerability. As a result, in some Eastern countries, url xss cannot be blocked. For example, in the Chinese version, you can use some simple data to get rid of the IE8 filter policy.

Vulnerability site: http://www.microsoft.com/

Vulnerability Analysis: Because the IE8 XSS filter adopts built-in system encoding during filtering, it will be gb2312 in the Chinese version, in other Eastern countries, the corresponding width-byte encoding will also be used. Submitting an invalid encoding sequence such as % C1 <is matched by the filter keyword by IE8 as a normal Oriental character, since the page itself will specify an encoding such as a UTF-8, % C1 <is not a valid utf8 encoding during parsing, it will be treated as two characters, this leads to <bypass check, which leads to the vulnerability.

Proof of vulnerability: assume that the following web script exists:


<?php
header(“Content-Type: text/html; charset=utf-8″);
echo $_GET[c];
?>


In IE8 of the eastern country system, if the conventional XSS such:


.php?c=<script>alert()</script>


Will be blocked by IE8 security policy, but if you submit


.php?c=%c1<script>alert()</script>


The code can bypass and execute IE8 XSS filter.

IE8 XSS Filter Bypass