Paid Advertising
web application security lab

Header Spoofing using MSXML Patched

I was going back through my file of older issues, and I started playing with Amit’s header spoofing using XMLHTTPRequest in Internet Explorer and to my surprise it appears to have been fixed! Talk about quiet! So I emailed Amit, and he too couldn’t verify that it was fixed in IE7.0. I finally got to the root of the issue. Apparently in MSXML3 SP8 and MSXML6 SP1 (which ships in Vista) you can no longer do header spoofing in Internet Explorer using XMLHTTPRequest. Amazing!

I was hesitant to post this until I verified the facts but apparently it’s true. Amit told me that his tests were done using IE6.0 (7.0 hadn’t shipped at the point he had released that post). So for those of you who are trying to get it working but can’t, that may be why. I haven’t concluded my testing using some of the other more obscure methods, but so far, so good. MS has been doing a good job of shutting this stuff down, lately!

Comments are closed.