Last active
August 29, 2015 14:14
-
-
Save xsscx/4e73ae19e06b14463427 to your computer and use it in GitHub Desktop.
findstr /C:"sc{r}" \WINDOWS\SYSTEM32\mshtml.dll|find "{"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
====================================================== | |
Extract XSS Filters from MSHTML.DLL used in IE9 | |
====================================================== | |
findstr /C:"sc{r}" \WINDOWS\SYSTEM32\mshtml.dll|find "{" | |
====================================================== | |
IE9 Summary - 23 Hardcoded Regex in mshtml.dll | |
====================================================== | |
Fixed strings (2) javascript:, vbscript: | |
HTML tags (14) object, applet, base, link, meta, import, embed, vmlframe, iframe, script(2), style, isindex, form | |
HTML attributes (3) " datasrc, " style=, " on*= (event handlers) | |
JavaScript strings (4) ";location=, ";a.b=, ");a(, ";a(b) | |
====================================================== | |
XSS URL Overview - IE9 XSS Filter Neutering Example - Craft a URL | |
====================================================== | |
HTTP GET http://victim.fqdn/?xss=<script> | |
====================================================== | |
IE9 performs Regex Match the HTTP Request | |
====================================================== | |
{sc{r}ipt.*?>} | |
====================================================== | |
HTTP Response with Script Tags | |
====================================================== | |
<script> | |
====================================================== | |
IE9 will Neuter the Output | |
====================================================== | |
<sc#ipt> | |
====================================================== | |
XSS.Cx Comments on IE9 Neutering | |
====================================================== | |
IE9 Blocks JS by neutering: | |
= | |
( | |
) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment