Question

I was trying XSS attack in IE11 to check whether it can prevent XSS or not. I noticed that it was not able to prevent XSS even when its "XSS Filter" was enabled. Why does this happens? Is there any bug in it or am i missing something that i should have done? Is there anyway to get over this problem?

No correct solution

OTHER TIPS

It could be a number of things, here is a post about it and a part that stood out to me that might be applicable:

https://www.whitehatsec.com/blog/internet-explorer-xss-filter/

In the simplest possible terms, the problem is that the anti-XSS filter only compares the untrusted request from the user and the response body from the website for reflections that could cause immediate JavaScript or VBScript code execution. Should an injection from that initial request reflect on the page not cause immediate JavaScript code execution, that untrusted data from the injection is then marked as trusted data, and the anti-XSS filter will not check it in future requests.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top