Cross-Site-Scripting (XSS)

I found on by surfing the internet  an instruction to prevent XSS by following the following instructions:

a.       Go to Internet Options from the Tools Menu,
b.      Then select ‘Security’ tab, make sure that ‘Internet’ is selected
c.       Click ‘Custom Level’.
d.      Scroll down to the bottom to Enable XSS filter and select radio button Enable.

To what degree does this filter prevent XSS from happening?
Lawrence AverySystem DeveloperAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rich RumbleSecurity SamuraiCommented:
Where, what program are those settings? You prevent XSS on servers typically, and that is done by sanitizing the inputs you accept. If you're talking about IE, then your are attempting to prevent being shown an XSS or cookie stealing code. It works ok for some attacks, but it fails on others:
https://blog.whitehatsec.com/internet-explorer-xss-filter/
http://blog.trendmicro.com/trendlabs-security-intelligence/internet-explorer-cross-site-scripting-vulnerability-now-public/
http://www.irongeek.com/i.php?page=videos/derbycon4/t111-bypassing-internet-explorers-xss-filter-carlos-munoz
and many others... It's better than nothing, but so is using any browser that isn't IE :)
-rich
btanExec ConsultantCommented:
It is alright for straightfowrd XSS (type 1 reflection) attempts blocking
Best practices should be put in place to eliminate Cross-Site Scripting at the server regardless of if the XSS Filter is enabled or explicitly disabled at the client.
(https://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx) but it can be evaded as well through encoding etc, it a cat and mouse race. There is even cheatsheet to bypass such filters (not only for IE)
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

Unless we go for lockdown and disable all active content like JS, Java, ActiveX, Flash, remove add ons, avoid opening directly from URL links (unless we are really sure) etc, or even go for command line browser type, user is always been suceptible to such attack attempt. We just need to have more assurance by having layer of defence for browser and machine. Some uses sandboxie and NoScript (https://www.schneier.com/blog/archives/2014/04/tails.html) to contain the browser, some use stateless OS in CD/USB like tails (https://www.schneier.com/blog/archives/2014/04/tails.html) to perform online activities...the idea is not to have it through browser to impact your machine. Reduce the exposure as you cannot it unless you totally not go internet or online - but that is impossible in this cyberspace which we are connected to.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
madunix (Fadi SODAH)Chief Information Security Officer Commented:
I highly recommend that you read the Cross-Site Scripting paper available from the OWASP website at
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

XSS = "The target system is identified with XSS which occurs when dynamically
generated web pages display user input, such as login information, that is not
properly validated, allowing an attacker to embed malicious scripts into the
generated page which is then executed by the browser on the machine of any
user that views the page with the malicious content. If successful, Cross-Site Scripting vulnerabilities can be exploited to manipulate or steal cookies, create requests which appear to come from a valid user, compromise confidential information, or execute malicious code on end user systems."


To prevent XSS from server side, make sure you have filter every user input and output as proper encoding like UTF-8. Read the full testing guide: https://www.owasp.org/images/8/89/OWASP_Testing_Guide_V3.pdf

http://blog.lifars.com/2015/01/18/making-users-hack-themselves-reflected-cross-site-scripting-combines-social-and-technical-attack-vectors/
btanExec ConsultantCommented:
no matter what do not rely only on browser XSS there is too many mean for bypass, the sure way is to make deterrence and layer your control so that when (not 'if') that failed, you have other controls like sandbox browser, add-on driver from Host IPS do reduce attack penetration further in (like bromium vSentry or similar) and disable scripting and ActiveX will be preferred instead (like NoScript add on). Nothing is impassable - I do see that NoScript and Mozilla have slightly edge over Chrome and IE specific to stronger responses if vulnerabilities in their software are surfaced and responded as timely to keep window exposure small, my own view though...I still use various browser for specific use cases..rather than one for all work, non-work and private interest etc...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.