IE Universal XSS Vulnerability Mitigation
An article on CIO.com yesterday discussed an easy attack vector on IE 11 on Windows 8.1, but it works on my Windows 7 with IE 10 as well. To see the (benign) attack in action, follow these steps:
- In IE, go to http://www.deusen.co.uk/items/insider3show.3362009741042107/.
- After 3 seconds, close the popup.
- Click the "Go" link.
This will launch another window that will load the Daily Mail site, and then after seven seconds, will show the injected payload "Hacked by Deusen."
The good news? This can be mitigated by your application, or centrally with a policy or iRule by inserting the X-Frame-Options header with either the DENY or SAMEORIGIN value. The DENY value is shown in the examples below.
LTM Policy
ltm policy xframecontrol { controls { forwarding } requires { http } rules { xframeopt { actions { 0 { http-header response insert name X-Frame-Options value DENY } } ordinal 1 } } strategy first-match }
LTM iRule
when HTTP_RESPONSE { HTTP::header insert X-Frame-Options DENY }
For more information on the X-Frame-Options header usage please check out these sites:
Published Feb 04, 2015
Version 1.0JRahm
Admin
Joined January 20, 2005
JRahm
Admin
Joined January 20, 2005
- Brad_ParkerCirrusJason, will SAMEORIGIN mitigate the vulnerability as well?
- JRahmAdminyes, updated the article to indicate either option is acceptable for the mitigation.
- Brad_ParkerCirrusYou're the man!