转载 2012年03月21日 10:18:16
What is it and why should I care?
X-XSS-Protection is a Microsoft IE technology used to help prevent reflected XSS attacks in IE.

Note 1: This is not a “panacea” for XSS. There is no excuse for not developing your site in a secure manner to prevent XSS. This however is a protection offered by the browser itself (as opposed to an application), meant to protect the masses from the vast amount of XSS litter on the internet.
Note 2: Firefox (by way of NoScript), Chrome (by way of WebKit) and Safari(also WebKit) have similar protections, but apparently don’t use the X-XSS-Protection header as a controlling mechanism.

The XSS protection provided essentially checks for request content that is matched in the response and would cause an XSS vulnerability to be exploited. The filter then performs some mangling of the content to prevent the attack from succeeding. According to the docs, IE has the protection turned on by default for most security zones, including the Internet zone, which is the primary concern for most users.

What should I do about it?
The first thing you should do is work towards resolving any and all XSS issues in your application. As a security minded developer, this is a must.

The recommendation for the use of this header is actually not so straightforward in my opinion. In general, the other HTTP headers I’ve described already in the series have had very little downside. However, the X-XSS-Protection header has had some problems in the past. As far as I’m aware, the IE folks have done a good job of dealing with the known vulns, but I still have concerns since some of the vulns have exposed security problems.

In general, I would recommend keeping the protection enabled, unless you are very sure you have XSS all cleaned up in your app. However, this comes with the caveat that you should at least put some thought into the use cases in your site first. Depending on your choice, here are the options you have available to use, and how you enable them in your application using the X-XSS-Protection HTTP header.

1. Enable the protection for all security zones in blocking mode (Blocking mode means the site won’t display at all if an XSS attempt is found, but rather a simple warning to the user that the attack has been blocked):

X-XSS-Protection: 1; mode=block
2. Enable the protection for all security zones:

X-XSS-Protection: 1
3. Leave the protection enabled for the default zones:

Do nothing.

4. Disable the protection entirely (I only recommend this in 2 cases: either you’re positive that you’ve completely resolved XSS in your app, or there’s an issue in the XSS filter that you’re aware of that causes an additional vulnerability) :

X-XSS-Protection: 0
The protection provided by the X-XSS-Protection header is not complete, but it does raise the bar against attackers and helps protect users. While there have certainly been some implementation issues, the fact that all the major browsers have some implementation of reflected XSS protection shows the importance of this issue. Be prudent in implementation, but certainly do everything you can to help your users be safe.


What Types of Database Questions are Asked in Interview for Testing Positions? – Testing Q&A Series

  • xuyo
  • xuyo
  • 2011年10月30日 20:14
  • 411

#254 – 能够装载FlowDocument的容器(Types of Containers for Hosting a FlowDocument)

有四种控件可以作为FlowDocument 的宿主容器:  -FlowDocumentReader ——提供多列显示、翻页、查找和放大功能的阅读器  -FlowDocumentPageView可以er...

#645 – 确定当前发生更改的键(Checking for the Presence of Modifier Keys)

在使用组合键的时候(Alt、Ctrl、Shift和其他键组合),在按键按事件(PreviewKeyDown, KeyDown, PreviewKeyUp and KeyUp)中可以使用事件参数中的Ke...

Oracle 11g Bug 10082277 – Excessive allocation in PCUR or KGLH0 heap of “kkscsAddChildNo”

转自eagle 的blog, 原文链接地址如下: 11gR2 还没怎么研究,转贴过来,以防以后出现这个问题。 -----------...

Oracle 11gR1 dbca – maximum number of sessions exceeded

Oracle11g R1 (建库的时候遇到以下问题,此问题是BUG:8343487引起的: ORA-12801: error signaled in parallel quer...