Creating XSS

I’ve seen MS10-002 pop up a few times in discussion recently.  This is a reference to the legendary issue that David Lindsay and Eduardo Vela Nava discovered, where neutering for a given heuristic actually enabled XSS, assuming attacker control of data inside a properly quoted HTML attribute.  I'd like to share some detail about the tools the XSS Filter has at its disposal as they apply to defeating this sort of attack in a general sense.

The XSS Filter’s approach has always relied on taking great care not to neuter characters which can alter context.  For example, if we were to neuter a double quote, that could have the unintended side-effect of activating script otherwise safely contained within a javascript string in some other part of the page.  The bug addressed by MS10-002 was not quite as obvious, but along the same lines.

Neutering is an attempt to cleverly target XSS as it may manifest on a given page.  But one thing that often goes unnoticed is that the XSS Filter is actually empowered to take various different approaches to mitigate XSS.  And it can do this on a per-heuristic basis.  In other words, given any identified issue with the neutering approach for a heuristic, we are able to choose from various different possible mitigations (Eg: mode=block), specifically applied for that heuristic.  In that way it is possible to disable attacks with a larger hammer as necessary, without forcing the XSS Filter to apply in any situations where it didn’t apply before.