IE8 XSS Filter Bypass

Vulnerability Description: IE8 is a new browser launched by Microsoft. It fully supports CSS2.1, HTML5, and built-in development tools. IE8 has greatly improved the security of browsers. It has a built-in Xss Filter that cannot be detached, providing better protection against non-persistent cross-site scripting attacks. However, when testing IE8, 80sec found that the IE8 Xss Filter has a vulnerability. As a result, in some Eastern countries, URL Xss cannot be blocked. For example, in the Chinese version, you can use some simple data to get rid of the IE8 Filter policy.

Vulnerability site:Http://www.microsoft.com/

Vulnerability Analysis: Because the IE8 Xss Filter adopts built-in system encoding during filtering, it will be gb2312 in the Chinese version, in other Eastern countries, the corresponding width-byte encoding will also be used. Submitting an invalid encoding sequence such as % c1 <is matched by the Filter keyword by IE8 as a normal Oriental character, since the page itself will specify an encoding such as a UTF-8, % c1 <is not a valid UTF8 encoding during parsing, it will be treated as two characters, this leads to <bypass check, which leads to the vulnerability.

Proof of vulnerability: assume that the following web script exists:

<? Php
Header ("Content-Type: text/html; charset = UTF-8 ");
Echo $ _ GET [c];
?>

In IE8 of the eastern country system, if the conventional XSS such:

. Php? C = <script> alert () </script>

Will be blocked by IE8 security policy, but if you submit

. Php? C = % c1 <script> alert () </script>

The code can bypass and execute ie8 xss filter.

Vulnerability status: notifies the vendor and waits for a response.
The content on this site is original. For reprinted content, be sure to keep your signatures and links!
IE8 XSS Filter Bypass:Http://www.80sec.com/ie8-xssfilter-bypass.html