Wednesday, December 16, 2015

X-XSS-Nightmare: XSS Attacks Exploiting XSS Filter

In this post, I would like to share XSS attack using IE's XSS filter. This issue was fixed in the December patch by Microsoft. (CVE-2015-6144 / CVE-2015-6176)

I spoke about this topics in the Japanese info-sec conference called CODE BLUE. You can find my name here. In my presentation, I talked about only the concept and I didn't touch details of attack techniques because it was not fixed at that time. 

Today, I can finally release hidden slides! Yeah!
The real X-XSS-Nightmare slides is the following.



Some attack vectors which I have reported are not fixed yet. So, I had to remove some slides :p

You can reproduce some PoC from this page:

http://l0.cm/xxn/


I hope you will enjoy it!

6 comments:

  1. Pretty! This was 먹튀검증 an extremely wonderful article. Thank you for providing this information.

    ReplyDelete
  2. Great insights on XSS vulnerabilities! It's crucial to stay updated on security patches like those from Microsoft. As we discuss these technical issues, I can't help but think of how game developers, like those behind Snow rider , must also prioritize security to protect user data. It’s fascinating how different fields intersect with cybersecurity. Looking forward to seeing your hidden slides!

    ReplyDelete
  3. Interesting read! It's fascinating to see how XSS filters, meant to protect users, can themselves become vulnerabilities. It's like trying to secure your house and accidentally leaving the back door unlocked. Makes you wonder about all the potential attack vectors that are still out there, lurking. Reminds me of trying to nail a particularly tricky level in friday night funkin - you think you've got it, then BAM! Unexpected vulnerability. Thanks for sharing the insights!

    ReplyDelete