tag:blogger.com,1999:blog-13756280.post6368721176685484461..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: To disable IE8's XSS Filter or not?Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-13756280.post-85275157111341759752010-01-13T10:01:16.056-08:002010-01-13T10:01:16.056-08:00I have an ajax app that is being broken by this &q...I have an ajax app that is being broken by this "feature" of IE.<br /><br />I have tried setting the x-xss-protection header to 0 and verified its in place but it does not disable the stupid feature!<br /><br />It breaks a request I make to a hidden iframe to generate page content.<br /><br />anyone had any luck getting legit apps through this feature?Unknownhttps://www.blogger.com/profile/05439914073811427953noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-30355540778545518782010-01-09T21:18:17.989-08:002010-01-09T21:18:17.989-08:00This is one of those awkward "is it public or...This is one of those awkward "is it public or isn't it?" situations. Given the assertion that vulnerability X exists in relatively small piece of functionality Y, I know several competent researchers who could calculate X in a very short time :)Chris Evanshttps://www.blogger.com/profile/01004765479735675808noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-25369937446340275162010-01-08T14:35:40.490-08:002010-01-08T14:35:40.490-08:00Just do not use a browser which sucks so hard that...Just do not use a browser which sucks so hard that you need to ask such questions, and if you throw some common sense in, you'll be fine.fishnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-79741879189070906442010-01-08T11:39:26.544-08:002010-01-08T11:39:26.544-08:00@chriscla, you know that is a really good point, a...@chriscla, you know that is a really good point, an aspect of risk I didn't see previously considered. You could in fact be right, given the exploit becomes generally available. Right now, my understanding is that it's not in-the-wild so to speak.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-36104588075922961342010-01-08T11:01:57.189-08:002010-01-08T11:01:57.189-08:00I am not familiar with the vulnerabilitiy, but thi...I am not familiar with the vulnerabilitiy, but this is an interesting case study.<br /><br />Suppose attackers can trigger this bug to cause XSS on any site. If that's the case, and the Register article implies that it is, then attackers won't bother to find your site-specific XSS. Instead they will use their off-the-shelf Anti-AntiXSS exploit. Attackers prefer OS bugs for the same reason -- they can discover the bug, package a reliable exploit, and continually re-use it.<br /><br />If Microsoft confirms an issue with the Anti-XSS protections, sites should disable it until a fix becomes available.chrisclahttps://www.blogger.com/profile/09717902126873313026noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-24407235143712173792010-01-08T05:01:20.932-08:002010-01-08T05:01:20.932-08:00I think its a good additional practice to check we...I think its a good additional practice to check website for advanced auditing and web application testing.<br /><br />Check<br /><br />http://zeroknock.blogspot.com/2009/11/http-x-protection-headers-microsoft.htmlAditya K Soodhttps://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-84320266611003337892010-01-06T15:17:37.335-08:002010-01-06T15:17:37.335-08:00Use a different browser?
StephanUse a different browser?<br /><br />StephanStephan Wehnerhttp://loggingit.comnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-81867963087752515212010-01-06T14:10:54.992-08:002010-01-06T14:10:54.992-08:00It's not the XSS-riddled sites that need to wo...It's not the XSS-riddled sites that need to worry...thornmakerhttp://p42.usnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-29500984443652521172010-01-06T14:00:42.117-08:002010-01-06T14:00:42.117-08:00@thornmaker, good point, thanks for the comment. I...@thornmaker, good point, thanks for the comment. I'd also guess that in-the-wild exploitation of this is highly unlikely given so much vanilla XSS available. :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-63036102175035451502010-01-06T13:57:42.327-08:002010-01-06T13:57:42.327-08:00I agree with this but have one thing to add.
If...I agree with this but have one thing to add. <br /><br />If this issue starts to be exploited "in the wild" before Microsoft issues a fix, then I would temporarily disable the filters until your sites users have been given a chance to upgrade. <br /><br />To my knowledge, this has not happened yet.thornmakerhttp://p42.usnoreply@blogger.com