IE8 XSS Filter design in-depth

Dross has written a post on XSS Filter to shed some light on design philosophy. To understand current filtering approach, it is useful to look back to the XSS Filter’s very beginnings.  Version 1.0 of the XSS Filter prototype, originally released within Microsoft back in 2002, provided users with the following (ugly!) prompt: Clearly this is not something […]

Dross has written a post on XSS Filter to shed some light on design philosophy. To understand current filtering approach, it is useful to look back to the XSS Filter’s very beginnings.  Version 1.0 of the XSS Filter prototype, originally released within Microsoft back in 2002, provided users with the following (ugly!) prompt:

Clearly this is not something that everyday users would understand or find acceptable!  We needed to find a way to make the filtering automatic and painless and thus provide maximum benefit to users.

The approach we are taking today in Internet Explorer 8 doesn’t simply examine URL / POST data for evidence of XSS – it is capable of validating that an XSS attack has been replayed into the response.  Having identified the replayed XSS, we then have the capability to neuter the XSS on the page in a highly targeted fashion.  Thus, the XSS Filter can be effective without modifying an initial request to the server or blocking an entire response.

Full Article

About The Author

Deepak Gupta is a IT & Web Consultant. He is the founder and CEO of diTii.com & DIT Technologies, where he's engaged in providing Technology Consultancy, Design and Development of Desktop, Web and Mobile applications using various tools and softwares. Sign-up for the Email for daily updates. Google+ Profile.