Differences between chrome xss filter and IE 8/9 xss filter

 

I have studied IE 8/9 xss filter and extracted every intercepted regular expression from IE 8/9 xss filter. I am deeply impressed by Microsoft's efforts in XSS.

Today saw cosine: http://www.bkjia.com/Article/201110/109035.html

In this article, I have never read chrome before, so I tested chrome on the cosine.

 

I wrote a simple test code:

<Html>
<Head> <Body>
<? Php
Echo $ _ GET ['a'];
?>
</Body>
<Script>
Alert (document. getElementsByTagName ('body') [0]. innerHTML );
</Script>
</Html>

The test results are as follows:

From the test results, we can see the differences between the interception of IE and chrome:

1. chrome dynamically replaces the node content, and the script under the BODY node is successfully executed.

2. IE is disconnected directly from a node with a Cross-Site script, that is, the script under the BODY node cannot be executed.

 

From the difference, we can also see that chrome dynamically replaces alert (1) in the script tag. What if we do FUZZ for the content in the tag <>? So we can easily bypass it:

 

 

Does it mean I don't trust my own eyes? I do, too. If chrome on my machine is a high version like chrome 13, I will doubt that it is a chrome version problem.

 

What about IE8/9?

From this point, we can see that the Interception Effect of IE 8/9 xss filter is better than that of chrome xss filter, but we should not ignore this point, that is, the application and security are all in conflict, the security effect of IE 8/9 xss filter is also subject to the price of false positives. I remember that when I was still conducting a WEB security test a few years ago, I often encountered first-line engineers complaining about false positives of IE 8/9 xss filter, from these considerations, I think chrome xss filter is relatively elegant in terms of interception methods and rules, but there is still room for improvement.

 

Finally, I will talk about this article. To get a deeper understanding of this, we need to reverse the mshtml. dll and analyze the chrome source code. In addition, the cross-site road, which is cosine-cosine, will lay an advertisement. We look forward to it. Good ideas will always inspire people.

PS:

I did not expect that the pitfall will be killed immediately --

The elegance of chrome xss filter: http://www.bkjia.com/Article/201110/109036.html