If you are a security tester and forced to use IE for testing, make sure that you know about IE8 built-in security features before you upgrade your current IE. Some of the security features will stop us from revealing the vulnerabilities in the website. This post talks about the XSS Filter in IE8, which is enabled by default, and how to disable it for security testing.
NOTE: This post is intended only for the security testers/analysts and not for a normal internet user. Please do not mess up the default security settings in IE8, unless you know what you are doing.
XSS Filtering
XSS Filter Enabled
While testing for XSS, we can notice that the XSS alert is not popped up and an ‘Information Bar’ is displayed on the top. Here the IE8 engine modifies the XSS script (strips of malicious characters) and then echoed back.
Disabling XSS Filters
To disable XSS Filtering, Go to Internet Options from the Tools Menu, then select ‘Security’ tab, make sure that ‘Internet’ is selected and click ‘Custom Level’. Scroll down to the bottom and select ‘Disable’ in the Enable XSS Filter option.
Disable XSS Filter Options
NOTE: Enable XSS Filtering after the requirement or Reset to default settings.
Update: To Disable the XSS filter via application code; set HTTP Response header: X-XSS-Protection: 0
To know about XSS filter check this link
Pingback: Del.icio.us Links » Blog Archive » links for 2009-10-23