IE Universal XSS Vulnerability Mitigation

An article on CIO.com yesterday discussed an easy attack vector on IE 11 on Windows 8.1, but it works on my Windows 7 with IE 10 as well. To see the (benign) attack in action, follow these steps:

1. In IE, go to http://www.deusen.co.uk/items/insider3show.3362009741042107/.
2. After 3 seconds, close the popup.
3. Click the "Go" link.

This will launch another window that will load the Daily Mail site, and then after seven seconds, will show the injected payload "Hacked by Deusen."

The good news? This can be mitigated by your application, or centrally with a policy or iRule by inserting the X-Frame-Options header with either the DENY or SAMEORIGIN value. The DENY value is shown in the examples below.

LTM Policy

ltm policy xframecontrol {
    controls { forwarding }
    requires { http }
    rules {
        xframeopt {
            actions {
                0 {
                    http-header
                    response
                    insert
                    name X-Frame-Options
                    value DENY
                }
            }
            ordinal 1
        }
    }
    strategy first-match
}

LTM iRule

when HTTP_RESPONSE {
HTTP::header insert X-Frame-Options DENY
}

For more information on the X-Frame-Options header usage please check out these sites:

• RFC 7034
• OWASP Clickjacking Defense Cheat Sheet
• Mozilla X-Frame-Options Configuration