Quotation Mark Parsing Flaw Makes IE Users Vulnerable to Attack

A bug in Microsoft’s Internet Explorer has left users of the popular browser vulnerable to cross-site scripting attacks, according to researchers at the security firm Imperva Data Security.

A bug in Microsoft’s Internet Explorer has left users of the popular browser vulnerable to cross-site scripting attacks, according to researchers at the security firm Imperva Data Security.

The flaw stems from an error in the way double quotes are encoded by IE. According to Imperva’s Rob Rachwald, it could have some serious consequences for websites that support IE.

Imperva researchers discovered that IE fails to encode double quote characters in the query part of the uniform resource identifier (URI) using a hexadecimal equivalent, as it should, according to the IETF RFC 3986, which spells out proper URI syntax. According to that document, double quote characters (“”) should be rendered as %22 when they appear in URIs. While IE does this for some parts of a URI, double quotes that appear in the query component of a URI are not translated – a lapse that could cause IE browsers to splice a malicious link or other attack code into a URI.

The problem with double quotes characters is not present in competing browsers such as Firefox and Google Chrome, Rachwald said.

Website developers operate under the assumption that requests coming from IE are properly encoded by the browser.

Imperva reached out to Microsoft about the bug. In their response, Microsoft downplayed the vulnerability, saying “[this flaw is] not something that we consider to be a security vulnerability that will be addressed in a security update.”

Rachwald and Imperva disagree. Citing XSSed.com, a site for public disclosures of XSS vulnerabilities, Rachwald claims there are sites listed that are currently experiencing XSS attacks stemming from the coding error in question and affecting only IE users.

Suggested articles

Discussion

  • Rob on

    "Website developers operate under the assumption that requests coming from IE are properly encoded by the browser."

    Excuse me? Rule 1 of secure programming: Never trust the client. Someone smack those web developers upside the head.

  • Anonymous on

    @Rob - Seriously. And anyway, in what way is this new or even noteworthy? This problem has been around for a decade. It's been in nearly every one of my pen-test reports (IE only XSS stemming from how IE doesn't URL encode quotes) for years now. Did someone finally figure out how to use an inline proxy? I feel bad for MS for once - I bet it would break a ton of IE only websites to "fix" this.
  • Anonymous on

    Microsoft, as usual, don't care unless they happen to get stung.

  • mirs on

    What sane person, in this day and age, relies on the browser to protect their application?

    Based on Imperva's business, I'd guess that they are accustomed to telling their customers that their web app security firewall will fix crappy code written by their customers. Perhaps this is why they choose to alert Microsoft that IE doesn't do something with quotes.

     

  • Anonymous on

    I'm not even sure this is a bug in light of the RFC. Also, many browsers (including chrome) do not encode the single quote, which can equally lead to 'breaking out' of attribute values. Also, many languages automatically decode pctencoded query strings.

    Whenever you build a URL to use in an attribute you need to make sure that:

    1. URL parts are correctly encoded.
    2. The URL is safe to use with the attribute (ie, not contain javascript:)
    3. Is properly escaped as an HTML attribute value
  • Anonymous on

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.