"At Black Hat Europe, presenters show how filters designed to prevent cross-site scripting can be used to launch those very attacks "
The good news is that Microsoft's Internet Explorer 8 browser offers a new set of filters designed to prevent some cross-site scripting (XSS) attacks. The bad news is that those same filters could be used to enable XSS attacks.
That was the gist of a presentation offered today by security researchers David Lindsay and Eduardo Vela Nava at the Black Hat Europe conference in Barcelona, Spain.
In a paper (PDF) presented at the conference, the researchers described several methods that attackers could use to enable XSS on sites that would otherwise be immune to XSS.
"There's an irony here because you're using filters that are designed to improve security to launch attacks on sites that take security seriously," said Lindsay during a telephone interview prior to the presentation.
The vulnerabilities were found in several filters that Microsoft added to IE 8 to help identify and "neuter" simple XSS attacks, Lindsay explained.
Continued here: http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=224400451