Disabling default XSS filtering in IE8 – For Security Testers

If you are a security tester and forced to use IE for testing, make sure that you know about IE8 built-in security features before you upgrade your current IE. Some of the security features will stop us from revealing the vulnerabilities in the website. This post talks about the XSS Filter in IE8, which is enabled by default, and how to disable it for security testing.

NOTE: This post is intended only for the security testers/analysts and not for a normal internet user. Please do not mess up the default security settings in IE8, unless you know what you are doing.

XSS Filtering

XSS Filter Enabled

XSS Filter Enabled

While testing for XSS, we can notice that the XSS alert is not popped up and an ‘Information Bar’ is displayed on the top. Here the IE8 engine modifies the XSS script (strips of malicious characters) and then echoed back.

Disabling XSS Filters

To disable XSS Filtering, Go to Internet Options from the Tools Menu, then select ‘Security’ tab, make sure that ‘Internet’ is selected and click ‘Custom Level’. Scroll down to the bottom and select ‘Disable’ in the Enable XSS Filter option.

disableoptions

Disable XSS Filter Options

NOTE: Enable XSS Filtering after the requirement or Reset to default settings.

Update: To Disable the XSS filter via application code; set HTTP Response header: X-XSS-Protection: 0

To know about XSS filter check this link


  • Pingback: Del.icio.us Links » Blog Archive » links for 2009-10-23

  • ron

    Thanks for this post, it’s useful.

  • Sijan

    you have a trojan horse within a called js file on this website

  • Farmer

    Anybody knows a simular  solution for Chrome, Firefox and/or Safari

  • phallusu

    what is useful about … another … lame desperate for traffic site that blocks viewing the answer with … another round of useless popup menus?

    • http://a4apphack.com/ Rajiv Vishwa

      I’m sorry about the inline ads that appears. I dont display any annoying text/img ad blocks in my site. I run ads only to compensate for the hosting cost. But I’m not sure why you say that the answer is getting blocked!