xsscx/findstr.txt

## findstr.txt
======================================================
Extract XSS Filters from MSHTML.DLL used in IE9
======================================================
findstr /C:"sc{r}" \WINDOWS\SYSTEM32\mshtml.dll|find "{"
======================================================
IE9 Summary - 23 Hardcoded Regex in mshtml.dll
======================================================
Fixed strings (2) javascript:, vbscript:
HTML tags (14) object, applet, base, link, meta, import, embed, vmlframe, iframe, script(2), style, isindex, form
HTML attributes (3)  " datasrc, " style=, " on*= (event handlers)
JavaScript strings (4) ";location=, ";a.b=, ");a(, ";a(b)
======================================================
XSS URL Overview - IE9 XSS Filter Neutering Example - Craft a URL
======================================================
HTTP GET http://victim.fqdn/?xss=<script>
======================================================
IE9 performs Regex Match the HTTP Request
======================================================
{sc{r}ipt.*?>}
======================================================
HTTP Response with Script Tags
======================================================
<script>
======================================================
IE9 will Neuter the Output
======================================================
<sc#ipt>
======================================================
XSS.Cx Comments on IE9 Neutering
======================================================
IE9 Blocks JS by neutering:
=
(
)
	======================================================
	Extract XSS Filters from MSHTML.DLL used in IE9
	======================================================
	findstr /C:"sc{r}" \WINDOWS\SYSTEM32\mshtml.dll\|find "{"
	======================================================
	IE9 Summary - 23 Hardcoded Regex in mshtml.dll
	======================================================
	Fixed strings (2) javascript:, vbscript:
	HTML tags (14) object, applet, base, link, meta, import, embed, vmlframe, iframe, script(2), style, isindex, form
	HTML attributes (3) " datasrc, " style=, " on*= (event handlers)
	JavaScript strings (4) ";location=, ";a.b=, ");a(, ";a(b)
	======================================================
	XSS URL Overview - IE9 XSS Filter Neutering Example - Craft a URL
	======================================================
	HTTP GET http://victim.fqdn/?xss=<script>
	======================================================
	IE9 performs Regex Match the HTTP Request
	======================================================
	{sc{r}ipt.*?>}
	======================================================
	HTTP Response with Script Tags
	======================================================
	<script>
	======================================================
	IE9 will Neuter the Output
	======================================================
	<sc#ipt>
	======================================================
	XSS.Cx Comments on IE9 Neutering
	======================================================
	IE9 Blocks JS by neutering:
	=
	(
	)