David Lindsay, a researcher at software security company Cigital, presented a paper entitled 'Abusing Internet Explorer 8's XSS Filters' at the Black Hat conference in Barcelona, Spain. The pair worked out a way to co-opt the anti-XSS technology built into the browser to compromise sites including Google, Wikipedia, Digg, Twitter, and Microsoft's own Bing search engine
The Microsoft anti-XSS technology works by scanning outbound requests from the browser looking for potential malicious strings. Upon finding such a request, the Internet Explorer 8 dynamically generates a regular expression matching the string, and looks for the same pattern in responses from the server. If it finds a match, it modifies the response from the server to neutralize what it assumes is a cross-site scripting attack.
"The exact method used to alter a server's response is a crucial component in preventing XSS attacks. If the attack is not properly neutralized then a malicious script may still execute," said the researchers in their paper. "The Internet Explorer 8 team decided to use a 'neutering' technique to neutralize detected attacks. More specifically, when the filters make a positive match against the server's response, the malicious part of the response will have a certain character (or characters) modified so that the attack will not execute."
The team worked out a way to introduce unintended results by manipulating the filters into substituting characters that could alter content on a website. They were able to prevent legitimate JavaScript from executing, a technique that they said could be used to neutralize anti-click jacking code, for example. They were also able to persuade webpages to interpret JavaScript code as HTML, which they said in certain cases could lead to a cross-site scripting attack.
The researchers advised web developers to filter all user-generated content so that even if interpreted in a different context, it would be unable to execute. They could use site-wide anti-cross-site request forgery tags that prevent any sort of cross-site scripting from being exploited, and finally they could disable the filters in Internet Explorer 8 using a response header opt-out mechanism until patches were available for the Microsoft browser.