XSS-filter architecture

A detailed XSS-filter architecture and implementation article was published on the Security Vulnerability Research & Defense blog. The primary objective of XSS filters integrated in IE8 is to prevent the exploitation of cross-site scripting vulnerabilities without breaking the Web.
Cross-site scripting (XSS) is a type of vulnerability common for Web applications, which allows the injection of malicious code to a legitimate Web page seen by other users. Depending on the injected code, the results can have serious consequences. According to Mitre, XSS Type-1 vulnerabilities among the most common on the Internet than buffer overflow types who came first in many years. The rise of XSS vulnerabilities prompted browser developers to carry out serious security features. Microsoft's response is XSS filters for Internet Explorer 8, which will be included in Beta 2 version.

The XSS-filter is built with a number of considerations: to reduce disruption of genuine data / content to a minimum, to reduce the risk of subverting it without compromising on performance, and to move as quickly as possible. In order to intercept requests and replies in the browser, the filter built directly into the rendering engine of IE8 (MSHTML), while a beginning, it was carried out as a mime filters.

In order not to slow down browsing, the filter only comes into action when cross-site navigation is present or when the source of a rendered part cannot be determined. The ability to disable the filters for some areas, such as intranets is also available.

The filter works in two stages. In the first scan GET / POST data using heuristic, in order to identify XSS attacks. If a match is found, a signature is built to detect harmful note. The signature is then used as the HTTP response, and they identified the markup is changing and blocked while keeping the rest of the page intact. The focus of heuristic sets and signatures are regular expressions. Each heuristic contains a list of safe characters. The rest of the characters un-safe will be replaced by a neutering award, which will take notes inactive.

Despite this, XSS filters are not perfect. Some compromises must be made to achieve a good balance between security, compatibility and performance, and not break the sites. At the same time as it protects from the public and the most common forms of XSS attacks, some specific attack scenarios, like the "referrer" based injection, is still not covered. David Ross, Security Software Engineer at SWI team notes that "over time, we will continue to increase XSS filters to maximize efficiency, but we will not compromise site compatibility in the process."