Internet Explorer 8 contains a new feature to detect reflected cross-site scripting (XSS) vulnerabilities. XSS vulnerabilities enable an attacker to control the relationship between a user and a Web site or Web application that they trust. Cross-site scripting can enable attacks such as:
Cookie theft, including the theft of sessions cookies that can lead to account hijacking
Monitoring keystrokes input to the victim Web site or application
Performing actions on the victim Web site on behalf of the victim user. For example, an XSS attack on Windows Live Mail might enable an attacker to read and forward e-mail messages, set new calendar appointments, and so on.
The XSS Filter operates as an Internet Explorer 8 component with visibility into all requests / responses flowing through the browser. When the filter discovers likely XSS in a cross-site request, it identifies and neuters the attack if it is replayed in the server's response.
With the new XSS Filter, Internet Explorer 8 users encountering a Type-1 XSS attack will see a notification like the following:
The page has been modified and the XSS attack is blocked. Users are not presented with a question about what they would like to do in this case (a question most users would be unable to answer). Internet Explorer simply blocks the malicious script from executing.
In this case the XSS Filter has identified a cross-site scripting attack in the URL. It has neutered this attack as the identified script was replayed back into the response page. In this way the filter is effective without modifying an initial request to the server or blocking an entire response.
上面是微软网站上的介绍,一个简单的方法来处理脚本攻击。例如:
http://localhost/a.htm?content=<script>alert(1);</script>。那么在IE8及其后续的版本就会用这个恶意脚本去匹配输出内容吧。具体的还需要后续进行测试。
分享到:
相关推荐
网站中包含大量的动态内容以提高用户体验,比过去要复杂得多。所谓动态内容,就是根据用户环境和需要,Web应用程序能够输出相应的内容。动态站点会受到一种名为“跨站脚本攻击”(Cross Site Scripting, 安全专家们...
JVM调优总结 -Xms -Xmx -Xmn -Xss JVM调优总结 -Xms -Xmx -Xmn -Xss
Laravel开发-xss-protection 过滤输入中的XSS
JVM调优总结 -Xms -Xmx -Xmn -Xss
java_jvm_参数_-Xms_-Xmx_-Xmn_-Xss_调优总结.pdf java_jvm_参数_-Xms_-Xmx_-Xmn_-Xss_调优总结.pdf
Bug Bounty Hunting for Web Security Bug Bounty Hunting for Web Security Bug Bounty Hunting for Web Security Bug Bounty Hunting for Web Security
前端开源库-xss-filtersXSS过滤器,安全的XSS过滤器-足够的输出过滤来防止XSS!
java jvm 参数 -Xms -Xmx -Xmn -Xss -
前端顽疾--XSS漏洞分析与解决.ppt
Laravel开发-laravel-xss-filter 过滤XSS的用户输入,但不要过滤其他HTML
pikachu-xss
Laravel开发-laravel-xss-middleware 简单的Laravel XSS Middlware,可以从用户身上剥离所有标签并对所有实体进行编码。
007-Web安全基础3---XSS漏洞(CISP-PTE).pptx
Bug Bounty Tip - i春秋Self-XSS变废为宝的奇思妙想 i春秋技术分享,将self-xss利用扩大化,奇思妙想可以借鉴。
007-Web安全基础3 - XSS漏洞
使用白名单指定的配置对不受信任HTML进行清理(以防止XSS)。 xss是用于过滤用户输入以防止XSS攻击的模块。 ( ) 项目主页: : 在线尝试: : 特征 指定HTML标记及其白名单允许的属性 使用自定义功能处理所有...
JVM参数_-Xms_-Xmx_-Xmn_-Xss_调优总结
122-DOM-XSS漏洞挖掘
主要展示在Nginx中配置X-Frame-Options、X-XSS-Protection、 X-Content-Type-Options、Strict-Transport-Security、https等安全配置。 Nginx.conf配置如下 # 不要将Nginx版本号在错误页面或服务器头部中显示 ...
XanXSS一个简单的 XSS 查找工具