Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IE XSS filter can be used for XSS attacks instead of preventing it. #26

Closed
3rd-Eden opened this issue Dec 9, 2013 · 7 comments
Closed

IE XSS filter can be used for XSS attacks instead of preventing it. #26

3rd-Eden opened this issue Dec 9, 2013 · 7 comments

Comments

@3rd-Eden
Copy link

3rd-Eden commented Dec 9, 2013

There used to a bug in the XSS filters in Internet Explorer which actually enabled XSS attacks instead of preventing it. Making sites which would normally be safe vulnerable for attacks.

So helmet could actually make sites more vulnerable instead of protecting them. The simplest solution would be disabling the filter for IE8 as this fix was most certainly landed in IE9 > as I doubt it can be detected by UA sniffing. If you feel it's not worth to fix this.. Please consider adding a note to the README file so developers know that they potentially expose them selfs to XSS attacks.

Related reading:
http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities/
http://technet.microsoft.com/en-us/security/bulletin/MS10-002
@evilpacket
Copy link

Thanks Arnout, I'll dig into it. appreciate the heads up.

Arnout Kazemier wrote:

There used to a bug in the XSS filters in Internet Explorer which
actually enabled XSS attacks instead of preventing it. Making sites
which would normally be safe vulnerable for attacks.

So helmet could actually make sites more vulnerable instead of
protecting them. The simplest solution would be disabling the filter
for IE8 as this fix was most certainly landed in IE9 > as I doubt it
can be detected by UA sniffing. If you feel it's not worth to fix
this.. Please consider adding a note to the README file so developers
know that they potentially expose them selfs to XSS attacks.

Related reading:
http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities/
http://technet.microsoft.com/en-us/security/bulletin/MS10-002


Reply to this email directly or view it on GitHub
#26.

@EvanHahn
Copy link
Member

Setting the header X-XSS-Protection: 0 isn't totally a solution, because Chrome respects it. With no header set, it'll block the script from running but keep the page:

screen 2013-12-10 at 3 33 11pm

With the header set to X-XSS-Protection: 1; mode=block, it redirects to a blank page.

And with it set to 0, it actually runs the script (bad news!):

screen 2013-12-10 at 3 34 30pm

My adventures in Firefox never ran the script. If you're interested, here's the PHP I used to test this:

<?php
// Uncomment these to see the magic...
/* header('X-XSS-Protection: 0'); */
/* header('X-XSS-Protection: 1; mode=block'); */
?>

<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  <title>test thing</title>
</head>
<body>

  <p>Hello, <?php echo $_GET['name'] ?>!</p>

  <p>The above code looks like this:</p>
  <pre>Hello, &lt;?php echo $_GET['name'] ?&gt;!</pre>

</body>
</html>

This might be another browser-sniffing adventure...

@natevw
Copy link
Contributor

natevw commented Jan 28, 2014

Per my understanding [which may be incorrect, only skimmed Arnout's links] the trouble was with IE's page rewriting — the vulnerability was in "fixup" mode as it were. By sending mode=block is the vulnerability avoided, or did IE8 not support that option to begin with?

@natevw natevw mentioned this issue Jan 28, 2014
Closed
@natevw
Copy link
Contributor

natevw commented Jan 28, 2014

FWIW, there's no mention of mode=block on the original announcement but I guess that doesn't rule out they added it to IE8 as a security patch.

@EvanHahn
Copy link
Member

This isn't an easy thing to solve. If you include it, you make people on new browsers safer and people on old browsers vulnerable to complex attacks. If you don't include it, you make people on all browsers less safe.

I think the algorithm is this:

if ((browser != 'IE') || (version >= 9) || (options.setOnOldIE)) {
  res.setHeader('X-XSS-Protection', '1; mode=block');
} else {
  res.setHeader('X-XSS-Protection', '0');
}

I think you should have to opt in to setting the header for IE 8 and below. I think the API should look like this:

app.use(helmet.iexss());
app.use(helmet.iexss({ setOnOldIE: true }));

And, of course, add a lot of information about this in the README.

Does this sound good?

@evilpacket
Copy link

I think this is perfectly acceptable, specifically the part about
documenting the concern in the README.

Evan Hahn wrote:

This isn't an easy thing to solve. If you include it, you make people
on /new/ browsers safer and people on /old/ browsers vulnerable to
complex attacks. If you don't include it, you make people on /all/
browsers less safe.

I think the algorithm is this:

if ((browser != 'IE') || (version >= 9) || (options.setOnOldIE)) {
res.setHeader('X-XSS-Protection', '1; mode=block');
} else {
res.setHeader('X-XSS-Protection', '0');
}

I think you should have to opt /in/ to setting the header for IE 8 and
below. I think the API should look like this:

app.use(helmet.iexss());
app.use(helmet.iexss({ setOnOldIE: true }));

And, of course, add a lot of information about this in the README.

Does this sound good?


Reply to this email directly or view it on GitHub
#26 (comment).

@EvanHahn
Copy link
Member

Working on it now!

EvanHahn added a commit that referenced this issue Mar 28, 2014
@EvanHahn
Update README
bf058ff 
This addresses the problems discussed in issue #26. It also cleans up the readme and changes some of the language.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@3rd-Eden @evilpacket @natevw @EvanHahn