The XSS filter that was the developed from Microsoft and added to the last IE version to prevent XSS attacks can be used for the very exact opposite reason! The cross-site scripting (XSS) filter can be abused by attackers to launch cross-site scripting attacks (XSS) on websites and web pages that would otherwise be immune to this threat.
The IE8 filter works by scanning outbound requests for strings that may be malicious. When such a string is detected, IE8 will dynamically generate a regular expression matching the outbound string. The browser then looks for the same pattern in responses from the server. If a match is made anywhere in the server’s response, the browser assumes that a reflected XSS attack is being conducted and the browser will automatically alter the response so that the XSS attack will be unsuccessful.
For the most part, this neutering mechanism is effective at blocking certain types of XSS attacks from occurring. However, altering a server’s response before it gets rendered by the browser may have unintended consequences.
The researchers figured out a way to use IE8′s altered response to conduct simple abuses and universal cross-site scripting attacks, which worked against sites that would not otherwise have been vulnerable to XSS attacks. Moreover the filter can be used in order to disable client-side security functionality from working by faking a XSS attack in the incoming string. Additionally it can be used to inject HTML code because the browser will improperly interpret the “malicious” JavaScript.
The researchers who discover these vulnerabilities are suggesting techniques to close the hole in IE 8 filter.One way is to disable execution of a filtered string found to be an attack by the users browser. Another possible technique is to utilize site-wide anti-CSRF tokens that prevent any sort of XSS from being exploited in the first place.
Microsoft will update the IE cross-site scripting (XSS) filter in June to fix the hole that researchers discover.
For more information on the IE8 filter vulnerabilities you can read the researchers documentation here.
