Paid Advertising
web application security lab

XSS Cheat Sheet Updated For IE7.0

6 hours of grueling testing later, I’ve completed updating the XSS Cheat Sheet with Internet Explorer 7.0. The findings were actually different than I thought they would be going into it. On the surface it looks like IE7.0 is dramatically better than IE6.0 and indeed, if you look at how many tests it passed compared to IE6.0 it is. However, a large chunk of the cross site scripting vectors on the cheat sheet use the JavaScript directive, which has been turned off in a lot more places than just inside images.

One thing I have not gone through is the list of event handlers - one step at a time. Of course any differences between my list and what is supported will evade lots of blacklists looking for particular strings (rather than a whitelist approach). I’ll list the changes here when I get to that point. For the differences it’s probably just worth looking at the cheat sheet for yourself and scanning the list if you are concerned about any particular vectors.

Eventually I’ll have to update the cheat sheet again as some of the principles are still valid, even if the vectors as written are no longer functional (like the grave accent and half open vectors for instance). IE7.0 appears to be quite an improvement in overall security though. I’m glad the JavaScript directive has been relegated to IFRAMEs and HREFs rather than being possible anywhere a location was - thereby definitely reducing the attack surface for the newest browser from Microsoft.

8 Responses to “XSS Cheat Sheet Updated For IE7.0”

  1. maluc Says:

    wow.. good work. When i cared about reliable browser testing, i only got through testing a fourth of them before giving up. It can be quite a pain..


  2. lpilorz Says:

    Thanks, that will be really useful!

  3. Kyran Says:

    Hmm. If you want, I could do tests for Opera 9.02.

  4. RSnake Says:

    I welcome everyone to do their own tests, but I’ll still have to do them myself before I update the cheat sheet. Otherwise I’ll miss stuff that I would learn by doing them myself.

  5. David Kierznowski Says:

    RSnake, the beginning of XSS cheat sheet was definitely an inspired move. Well done for keeping it up.

  6. Tontonq© Says:

    oh shit :@ i wanna die they blocked etc a lot of precaution :(

  7. The Teklow Group » Blog Archive » Mozilla still looking into Firefox flaw claims Says:

    […] Despite claims that the whole thing was a joke, security experts at the Mozilla are continueing to investigate Firefox’ JavaScript implementation for potential vulnerabilities. The bloggers at Matasano were recently wondering wether security will be the next battleground in the browser wars and, if so, this is the attitude that could make the difference for Firefox, altough IE 7 seems to be doing better than it’s predecessor as well. […]

  8. Hexagon Business-Weblog » Blog Archive » Internet-Explorer 7 am Mittwoch Says:

    […] Der neue Browser wird für all jene, die noch nie einen modernen Browser, wie Mozilla Firefox 1.5 oder Opera 9 benutzt haben, einiges an Umstellung bringen. Die Sicherheit des neuen Internet Explorers hingegen ist auf jeden Fall einen Umstieg wert. Unternehmen sollten vor allem darauf achten, dass die Umstellung keine Probleme für interne Websites, oder unternehmenskritische Anwendungen, die auf den Internet-Explorer als Komponente zurückgreifen, bringt. Ausführliche Tests mit dem aktuellen Release Candidate sind dazu notwendig und sollten nunmehr eigentlich schon abgeschlossen sein. […]