IE XSS filter can be used for XSS attacks instead of preventing it. about helmet HOT 7 CLOSED

Thanks Arnout, I'll dig into it. appreciate the heads up.

Arnout Kazemier wrote:

There used to a bug in the XSS filters in Internet Explorer which
actually enabled XSS attacks instead of preventing it. Making sites
which would normally be safe vulnerable for attacks.

So helmet could actually make sites more vulnerable instead of
protecting them. The simplest solution would be disabling the filter
for IE8 as this fix was most certainly landed in IE9 > as I doubt it
can be detected by UA sniffing. If you feel it's not worth to fix
this.. Please consider adding a note to the README file so developers
know that they potentially expose them selfs to XSS attacks.

Related reading:
http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities/
http://technet.microsoft.com/en-us/security/bulletin/MS10-002

—
Reply to this email directly or view it on GitHub
#26.

from helmet.

Setting the header X-XSS-Protection: 0 isn't totally a solution, because Chrome respects it. With no header set, it'll block the script from running but keep the page:

With the header set to X-XSS-Protection: 1; mode=block, it redirects to a blank page.

And with it set to 0, it actually runs the script (bad news!):

My adventures in Firefox never ran the script. If you're interested, here's the PHP I used to test this:

<?php
// Uncomment these to see the magic...
/* header('X-XSS-Protection: 0'); */
/* header('X-XSS-Protection: 1; mode=block'); */
?>

<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  <title>test thing</title>
</head>
<body>

  <p>Hello, <?php echo $_GET['name'] ?>!</p>

  <p>The above code looks like this:</p>
  <pre>Hello, &lt;?php echo $_GET['name'] ?&gt;!</pre>

</body>
</html>

This might be another browser-sniffing adventure...

from helmet.

Per my understanding [which may be incorrect, only skimmed Arnout's links] the trouble was with IE's page rewriting — the vulnerability was in "fixup" mode as it were. By sending mode=block is the vulnerability avoided, or did IE8 not support that option to begin with?

from helmet.

FWIW, there's no mention of mode=block on the original announcement but I guess that doesn't rule out they added it to IE8 as a security patch.

from helmet.

This isn't an easy thing to solve. If you include it, you make people on new browsers safer and people on old browsers vulnerable to complex attacks. If you don't include it, you make people on all browsers less safe.

I think the algorithm is this:

if ((browser != 'IE') || (version >= 9) || (options.setOnOldIE)) {
  res.setHeader('X-XSS-Protection', '1; mode=block');
} else {
  res.setHeader('X-XSS-Protection', '0');
}

I think you should have to opt in to setting the header for IE 8 and below. I think the API should look like this:

app.use(helmet.iexss());
app.use(helmet.iexss({ setOnOldIE: true }));

And, of course, add a lot of information about this in the README.

Does this sound good?

from helmet.

I think this is perfectly acceptable, specifically the part about
documenting the concern in the README.

Evan Hahn wrote:

This isn't an easy thing to solve. If you include it, you make people
on /new/ browsers safer and people on /old/ browsers vulnerable to
complex attacks. If you don't include it, you make people on /all/
browsers less safe.

I think the algorithm is this:

if ((browser != 'IE') || (version >= 9) || (options.setOnOldIE)) {
res.setHeader('X-XSS-Protection', '1; mode=block');
} else {
res.setHeader('X-XSS-Protection', '0');
}

I think you should have to opt /in/ to setting the header for IE 8 and
below. I think the API should look like this:

app.use(helmet.iexss());
app.use(helmet.iexss({ setOnOldIE: true }));

And, of course, add a lot of information about this in the README.

Does this sound good?

—
Reply to this email directly or view it on GitHub
#26 (comment).

from helmet.

Working on it now!

from helmet.