Abusing Internet Explorer 8's XSS Filters

Internet Explorer 8 introduced a new type of defense against Cross-site Scripting (XSS) attacks.The idea was to build filters into the browser which can detect and prevent certain types of malicious XSS attacks. Most filter based XSS approaches are implemented on the server side inside a web application or as part of a Web Application Firewall.This made the Microsoft approach a somewhat novel approach but one which other browser vendors have begun to follow. Although the filters do not protect against all types of XSS attacks, nor do they attempt to, they do attempt to raise the bar for a would-be attacker by making certain commonly attack scenarios non-exploitable.

Download PDF