A Journey in Security: IE8 XSS Filter Distorting Facebook

I've previously written about the IE8 XSS filter and how it can be used to alter the appearance of a webpage (potentially introducing new flaws). In my previous discussion I used google and yahoo as two examples to illustrate how IE8 modifies the page in response to a perceived XSS attack. Google chose to disable IE8 XSS protection and Yahoo did not. This provided a great example on the effects of the IE8 XSS filter. However, Yahoo has sinced disabled XSS protection and effectively killed my example.

So now, I leave you with this. Facebook has not disabled the IE8 XSS Filter. As a result, you can create a non-malicious link which invokes the XSS protection in IE8. This causes the resulting page to be significantly distorted.

This page is the result of visiting the link (shown below) as an authenticated user. To be clear, this is not a FaceBook design flaw. This is simply IE8 modifying the response within your browser to attempt to protect you against the benign search value of "IE8%3Cscript%3E"

http://www.facebook.com/search/?ref=search&q=IE8%3Cscript%3E&init=quick

-Michael Coates

A Journey in Security

Pages

Wednesday, January 13, 2010

IE8 XSS Filter Distorting Facebook