IE Universal XSS Vulnerability Mitigation

An article on yesterday discussed an easy attack vector on IE 11 on Windows 8.1, but it works on my Windows 7 with IE 10 as well. To see the (benign) attack in action, follow these steps:

  1. In IE, go to
  2. After 3 seconds, close the popup.
  3. Click the "Go" link.

This will launch another window that will load the Daily Mail site, and then after seven seconds, will show the injected payload "Hacked by Deusen."

The good news? This can be mitigated by your application, or centrally with a policy or iRule by inserting the X-Frame-Options header with either the DENY or SAMEORIGIN value. The DENY value is shown in the examples below.

LTM Policy


ltm policy xframecontrol {
    controls { forwarding }
    requires { http }
    rules {
        xframeopt {
            actions {
                0 {
                    name X-Frame-Options
                    value DENY
            ordinal 1
    strategy first-match

LTM iRule


HTTP::header insert X-Frame-Options DENY

For more information on the X-Frame-Options header usage please check out these sites:

Published Feb 04, 2015
Version 1.0

Was this article helpful?