I’ve seen MS10-002 pop up a few times in discussion recently. This is a reference to the legendary issue that David Lindsay and Eduardo Vela Nava discovered, where neutering for a given heuristic actually enabled XSS, assuming attacker control of data inside a properly quoted HTML attribute. I...

Arcane design decisions can have subtle but important effects on the characteristics of a security mitigation. Consider how client-side XSS filtering might examine a given HTTP response for evidence of a reflected attack. Is it more sensible to examine the response before or after that response is processed...

Reduced attack surface in Standards Mode is a good step forward for XSS-Focused Attack Surface Reduction in the browser. But it’s necessary to prevent framing as a prerequisite to enforced Standards Mode. Putting this into practice is pretty simple. First, you’ll need a Standards Mode...

Have you ever heard someone ask “Do we need to fuzz this?” This question comes up quite a bit in the context of reactive security work. There are basically two traditional answers: Yes. When you’re attempting to find variants of something like a memory corruption bug, fuzzing...

On the 16th of January, 2000, the following names were suggested and bounced around among a small group of Microsoft security engineers: Unauthorized Site Scripting Unofficial Site Scripting URL Parameter Script Insertion Cross Site Scripting Synthesized Scripting Fraudulent Scripting The next...

One of the things I have taken from the IE XSS Filter project is a healthy fear of legacy character sets. If you've followed Chris Weber , Scott Stender , or Yosuke Hasegawa ’s work, you know that even Unicode is... interesting. But at least in the Unicode world there are standards and evolving best...

Credit goes to Alex "Kuza55" Kouzemtchenko for identifying a weakness in the XSS Filter OBJECT tag heuristic. The original heuristic failed to properly sanitize OBJECT tags with the DATA attribute set. Alex found that it is possible to use the DATA attribute to instantiate the PDF handler, then reference...

Chris Weber's Watcher: http://www.lookout.net/2009/03/20/watcher-security-tool-a-free-web-app-security-testing-and-compliance-auditing-tool/ Watcher plugs into the Fidder HTTP proxy and monitors for all sorts of web app vulns, from the common to the obscure. Gareth Heyes' XSS Rays: http://www.thespanner...

I've just posted detail up on the SVRD Blog about some improvements and bug fixes to the XSS Filter feature in IE8 RC1 .

Recently I got Martin Johns connected with Helen Wang 's group in Microsoft Research. Check out Martin's excellent talk @MSR, Secure Code Generation for Web Applications . Here are a few other gems I discovered on content.digitalwell.washington.edu: Techniques and Tools for Engineering Secure Web...

Giorgio Maone's new ABE project looks pretty cool. Exposing the loose and often unnecessary boundaries between web applications shines a different light on some old problems in web application security. Enforcing greater formalization and limiting the attack surface presented by these boundaries is...

Björn Engelmann, Joachim Posegga, and LocalRodeo developer Martin Johns have authored an excellent paper on a new Cross-site Scripting detection system called XSSDS . Stay tuned to noxss.org for a new browser extension based on this technology. The XSSDS approach is similar in some ways to the IE8 XSS...

If you haven’t already seen, Internet Explorer 8 Beta 2 is out – go get it ! Now is a good time to thank everyone who helped make the IE8 XSS Filter a reality. This project wouldn’t have been possible without your hard work, support, leadership, guidance, brainstorming, pentesting, coding, and testing...

I've just posted some detail on the Internet Explorer 8 XSS Filter Architecture / Implementation over on the SWI Blog . It would be great to get some feedback and answer any questions you may have -- just drop me a mail using the Email link to the left. In other news, Gareth Heyes has been spending...

It's great to see some positive reaction to the potential of our XSS Filter. Now we just need to deliver! In this blog post I’ll try to shed some light on our design philosophy. To understand how we have arrived at our current filtering approach, it is useful to look back to the XSS Filter’s very...

IE has announced the new XSS Filter feature which will debut in IE8 Beta 2! Stay tuned to my blog in the coming weeks for more details on how the filter works, its history, its limitations, and some lessons learned during the development process.

All web browsers expose what have been referred to as XSS “attack vectors” – various techniques that XSS attacks can leverage to achieve script execution. The best and most well regarded list of these behaviors is RSnake’s XSS Cheat Sheet . The existence of these attack vectors can at minimum present...