Bypassing IE and Edge XSS Filters with Double Encoding

IE and Edge both uses a default XSS filter which is not powerful like the XSSAuditor(Webkit/Blink).
This is how the XSS filter is implemented.

https://msdnshared.blob.core.windows.net/media/TNBlogsFS/BlogFileStorage/blogs_technet/swi/WindowsLiveWriter/IE8XSSFilterArchitectureImplementation_7E69/pic1_thumb.png
(source: https://blogs.technet.microsoft.com/srd/2008/08/19/ie-8-xss-filter-architecture-implementation/)

Here’s a more detailed image.

View post on imgur.com


(source: http://www.adambarth.com/papers/2010/bates-barth-jackson.pdf)

In some websites urldecode() is being performed in the backend. Let’s imagine we have a PHP code snippet like this in the back end.


In these kinds of situations I found out that it’s easy bypass the XSS filter by performing double encoding to the filtered character or any valid character in the regex. Once our application decodes one level the XSS filter won’t find anything harmful in the encoded payload and the regex rules won’t apply.
The regular expressions or the filter rules can be found inside the “mshtml.dll” DLL. Let’s look at a few.

View post on imgur.com

{[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.}

In the above filter rule {o} will be filtered with the “#” neuter replacement character.


View post on imgur.com

If we double encode the character “o” no longer the filter will apply.


View post on imgur.com

You can see in the source our payload with no neuter replacements.

View post on imgur.com

In Edge too this will apply decoding is being done in the back end server.

View post on imgur.com

In Edge instead of () we can use “.


View post on imgur.com

I have tested on the following versions.
Internet Explorer
Version : 11.0.9600.18378

Edge
Version: 20.10240.16384.0

Mentions

https://www.webarxsecurity.com/bypassing-modern-web-application-firewall

Advertisements

4 thoughts on “Bypassing IE and Edge XSS Filters with Double Encoding

Leave a Reply