locked
Internet Explorer XSS filter question RRS feed

  • Question

  • User1977787504 posted

    Internet Explorer has modified this page to help prevent cross-site scripting. I am using IE10. In localhost, there is no cross-site scripting but on server on the same IE10 with following the same steps. I am getting the message & displaying # on the page. Now I have disabled XXS filter option from the IE security Setting, and it is working fine, but I want to ask is this a security issue for the website? If this is not then how could I rectify the issue server-side for all users of site?

    Friday, June 6, 2014 8:56 AM

Answers

  • User1140095199 posted

    Hi Waqar,

                  Greetings!

    From the issue description, I understand that you get script errors in Internet Explorer 10.

     XSS is a feature provided by IE to protect users from cross-site scripting attacks.

    Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website

     Source Article - Can I disable XSS filter to stop script error in Internet Explorer 10?

    You may refer to the solutions provided in the above article.

    However, It is not recommended to turn off the XSS Filter. Doing so will leave you vulnerable to cross-site scripting attacks as explained above.

    You may allow users to disable XSS filter and alternatively apply methods to prevent your website to prevent from cross-site attacks. As it is in users hand whether he may or may not disable the XSS filter.

    Refer to the following: Use the AntiXSS Library

    http://www.codeproject.com/Articles/573458/An-Absolute-Beginners-Tutorial-on-Cross-Site-Scrip

    http://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-2.html

    Also check the Microsoft Security Bulletin:

    Vulnerability in AntiXSS Library Could Allow Information Disclosure (2607664)

    Hope it helps!

    Best Regards!

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, June 9, 2014 1:36 AM

All replies

  • User1140095199 posted

    Hi Waqar,

                  Greetings!

    From the issue description, I understand that you get script errors in Internet Explorer 10.

     XSS is a feature provided by IE to protect users from cross-site scripting attacks.

    Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website

     Source Article - Can I disable XSS filter to stop script error in Internet Explorer 10?

    You may refer to the solutions provided in the above article.

    However, It is not recommended to turn off the XSS Filter. Doing so will leave you vulnerable to cross-site scripting attacks as explained above.

    You may allow users to disable XSS filter and alternatively apply methods to prevent your website to prevent from cross-site attacks. As it is in users hand whether he may or may not disable the XSS filter.

    Refer to the following: Use the AntiXSS Library

    http://www.codeproject.com/Articles/573458/An-Absolute-Beginners-Tutorial-on-Cross-Site-Scrip

    http://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-2.html

    Also check the Microsoft Security Bulletin:

    Vulnerability in AntiXSS Library Could Allow Information Disclosure (2607664)

    Hope it helps!

    Best Regards!

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, June 9, 2014 1:36 AM
  • User1977787504 posted

    Hi Waqar,

                  Greetings!

    From the issue description, I understand that you get script errors in Internet Explorer 10.

     XSS is a feature provided by IE to protect users from cross-site scripting attacks.

    Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website

     Source Article - Can I disable XSS filter to stop script error in Internet Explorer 10?

    You may refer to the solutions provided in the above article.

    However, It is not recommended to turn off the XSS Filter. Doing so will leave you vulnerable to cross-site scripting attacks as explained above.

    You may allow users to disable XSS filter and alternatively apply methods to prevent your website to prevent from cross-site attacks. As it is in users hand whether he may or may not disable the XSS filter.

    Refer to the following: Use the AntiXSS Library

    http://www.codeproject.com/Articles/573458/An-Absolute-Beginners-Tutorial-on-Cross-Site-Scrip

    http://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-2.html

    Also check the Microsoft Security Bulletin:

    Vulnerability in AntiXSS Library Could Allow Information Disclosure (2607664)

    Hope it helps!

    Best Regards!

    yup you are rite, actually my issue raised when i delete the record in rowcommand, well i have just redirect the page to the this page.

    Wednesday, June 11, 2014 3:28 AM