IE8 Security Warning

Vulnerability Description: IE8 is a new browser launched by Microsoft. It fully supports CSS2.1, HTML5, and built-in development tools. IE8 has greatly improved the security of browsers. It has a built-in Xss Filter that cannot be detached, providing better protection against non-persistent cross-site scripting attacks. However, when testing IE8, 80sec found that IE8 had a logical error when designing the Xss Filter, which may lead to security problems for some sites that did not have the vulnerability, in addition, IE8 does not fundamentally solve the problem of cross-site scripting attacks, and may even be exploited after the alternative attack methods. On some websites that are not strictly written, the IE8 Xss Filter does not play any role.

Vulnerability site: http://www.microsoft.com/

Vulnerability Analysis: after our research, we found that the basic principle of IE8 Xss Filter is to match the written URL based on the Rule library integrated with some known attacks. If the rule is matched, a warning is issued, in addition, you can replace the matched content on the page displayed when the site is displayed with a non-hazardous content type. This process has many problems.

1. matching rules

IE8 can only match some known simple rules, and cannot prevent JavaScript Injection and some Dom operations from bringing XSS. It is powerless for a persistent Xss. Therefore, IE8 has made a very small effort to prevent Xss. This step does not play any role for sites that are not strictly written. For example, a Dom Xss [Thanks Luoluo]

Dom XSS In IE8

As you can see, XSS is triggered in the same way.

2. How to perform non-persistent XSS in IE8 [this problem is affected by the same-origin policy]

IE8 is just a sense of security. It cannot fix website security vulnerabilities. For hackers, they only need to put the original XSS In the iframe to attack the site and cannot fundamentally solve the problem of cross-site attacks. For example

Http://www.80sec.com /? Url = <script> alert () </script>

It will be blocked, but when you use

<Iframe src = 'HTTP: // www.80sec.com /? Url = <script> alert () </script> '> </iframe>

It can be used in the same way, but it may require more in-depth skills.

3 IE8 causes many websites to have security risks

The protection design of IE8 is to replace the corresponding content on the page when there is a violation rule input in the URL, regardless of whether the content on the page is caused by user input. Hackers can use this to replace some code of the target site. To achieve this, they only need to add an irrelevant input to the address. If the replaced content involves some page logic, it may be used by the context. If IE8 is used, any site may become the target of the attack.

Http://www.baidu.com /? 80sec = <meta % 20http-equiv = Content-Type % 20 content = "text/html; charset = gb2312">

Check whether the URL in IE8 is messy. Of course, we can use this feature to comment out many things, such as JS, which can cause security risks or even exploitation of the target site.

4. the Xss Filter function of IE8 has the same-source policy feature.

The Xss Filter feature of IE8 has the same-origin policy feature. Compared with most non-persistent XSS, XSS is not blocked if the attack source is from the attacked website. The Xss Filter function of IE8 is designed to fully trust access from the local domain, for example

Http://www.baidu.com /? Xss = <script> alert ('xsss ')

If this type of link appears on the webpage in www.baidu.com domain and is clicked to trigger the XSS vulnerability, IE8's Xss Filter will not be blocked.

Vulnerability status: awaiting official response

The content on this site is original. For reprinted content, be sure to keep your signatures and links!
Html "> IE8 Security Warning: Http://www.80sec.com/ie8-security-alert.html