--- layout: post status: publish published: true title: Bypass ASP.NET XSS Protection in Internet Explorer wordpress_id: 290 wordpress_url: http://pro.grammatic.org/post-bypass-aspnet-xss-protection-in-internet-explorer-8.aspx date: !binary |- MjAwNy0wNS0xNSAxNDowMzoyNCArMDIwMA== date_gmt: !binary |- MjAwNy0wNS0xNSAxNDowMzoyNCArMDIwMA== categories: - Technology - InfoSec - .NET tags: - information security - .NET comments: [] ---
ASP.NET comes preloaded with some default XSS protection which is actually pretty nifty. However, it turns out that the system can be circumvented by a variety of methods, as illustrated by this test input:
{% highlight html %} {% endhighlight %}Turns out that IE will still process attributes on closing tags which circumvents the filter for <a whilst also treating /**/ as a null comment but obviously breaking .NET's filter regex. Thanks to Hong @ sla.ckers.