by   May 22 2012   
XSS Filters is new for some browsers but it's not a new scripting process. XSS can be identified as Good and Bad. Most times it's a poorly scripted website or a simple mistake with a link. But my concern is a new advertisement format which actually promotes it's XSS (Cross Site Script) technique as a good marketing data mining method. Granted, it's good at what it does but when you look at the scripts you have to question if they are filtering enough to protect the privacy of those using the publisher’s website. Disclaimer: The code sample was taken from one of the advertisers. This is only used as an example and not to be taken as an endorsement or condoning of this practice.

XSS Filters are they identifying privacy concerns?

When I started researching the XSS filter it didn't take long to setup sample pages to trigger the XSS filters in Internet Explorer. 

It was actually fun coding up a few Cross Site Scripts and clicking the link to the pages. 

The "#" sign is what you will see when the XSS filter identifies a possible cross site script. (XSS)

What is XSS?

If you read the other article and watched the video Microsoft published that's about all it is. It's a little different for servers and the hack called Cross Site Scripting which I will also publish and offer my disclaimer. 

I'm not going into much detail with this one script but will point out a few things that might help you determine if you should disable XSS from your browsers settings. It's up to you 100% and you can disable as much as you like, but searcn nist.gov for XSS and your favorite browser then read on. 

The XSS Script trapped by IE 9 was the size of 10 full Word Doc pages. 109,045 characters which for non coders that's about 12,600 words! That script was about the same size as 10 of my website pages and it was loading into one of my sites.

1. If you use these scripts be ready to be banned by most websites that monitor for script attacks. Banned IPs often are shared over many databases and blacklists.

You can safely view the code and run it on your local desktop to see how the XSS filters work. I'll offer up some code later for your local testing. 

Now, personally I like advertisements in websites. I know why they are there and I know the Internet is fueled by this publishers. But, when I find ads that distribute malware, downloads, popups I do my part and reverse engineer them and identify the servers. 

This time it's a new marketing company promoting a specific type of code that collects users information as they type. 

Just like in the XSS video the advertisement (don't ban me now for saying this) actually has more than 2 fields that it copies from and in real time reports back. 

The advertisement I collected was for a school and offered "Select your XSS-Advertisement -Triggered -Liberty -university -Script -HTML-posted -2interest" and "Type your name" then click go. The XSS Filter from IE blocked it but allowed me to view the source code. 

What I found may not be very much liked by advertisers but this post is to advise you to clean up the fields you don't need and to make sure you respect the privacy of the internet users. 

The premise of the marketing method is to collect form field data in real time which allows for many to collect the information needed to provide a qualified lead.

Many good applications do this like your technical support chats online monitor in real-time while you type so you don’t even have to hit enter and the remote technician can see what you typed.

Be careful you don’t make the mistake like I have and type a bunch of junk then delete it. It was read.

Anyway, the form data displayed in some ads are either drop down menus or fill in the blanks.

Those fields might look like,

"name"; "Form1", "attribute": "VALUE", "items": "value": input_field_1 etc. 

 Now the above are to be expected on just about any online form using javascript (json). 

I liked the interactive fields but out of the 44,000 character javascript that was loaded into a small advertisement I found some fields that made me question the source. 

          { "currency": "NONE", "billingContact":
            { "firstName": "", "lastName": "", "phone": "", "email": "", "fax": "", "status": "ENABLED", "id":
            "creditCard": null, "paymentType": "NONE", "billingType": "NONE", "address":
              { "address": "", "state": "", "country": "US", "city": "", "zipCode": "", "einNumber": "", "ssnNumber": null, 

Now, these fields seemed to be out of place. They could be a "Billing" field or the developer made the form to include all form fields to be used once the person clicked on button1 in this case. 

But, if we review the basics of XSS this might mean that if the page this code was on had a form with the names of "phone", "fax", "lastName", "firstName", "creditCard" then we might have an issue. 

According to the Microsoft XSS information the XSS script copies as you type data into fields. If you were on a check-out page these fields may actually appear. Or maybe you were signing up on a new website and this advertisement appeared and matched the sites "Name" fields. 

Now, this does have me concerned but this isn't all of the story. 

The scripts continues for about another 28,000 characters. 

"contentRepository":

The above part of the script identifies the location where the data from the form fields is saved. It was pointing to the ad server but after I looked it's to a different server which I will not point out at this time. In any case the script is a match to the Microsoft video in that the design is to collect and save data collected from the site in which the script is run. 

I'll stop here and wait for a JSON pro to review a few things I have. I'm interested in learning why so many fields where needed in a background script that was 118Kb in size. That's nearly the size of one of my longer articles.

No problem if it's all just a mistake but from all the years I have worked with servers and defending against direct XSS attacks this doesn't appear to be a friendly image advertisement method. 

I'd suggest creating nice ads instead of looking for form data on a page that is not welcome. 

Hope this helps those looking for answers about the XSS scripting filter. I think it's about time more has been done for browsers to help protect the privacy of internet surfers. 

Now if only a couple of news websites would allow me to deny a flash cookie to watch the news. But it's not important, I found another site that respects my Flash privacy settings. 

Internal Resources: IE XSS FiltersXSS Alert on Ads  

External Resources: OWASP Testing for Cross Site Scripting

History Reading: Cross Site Scripting (In 2000 it was called CSS. I had my NT 4.0 server running IIS 4.01 and still have it for testing. Old, slow, easy to break.)

(Closing Disclaimer: The code I reference here was trapped by IE 9 XSS Filter. I collected the data via the saved code link IE 9 offers. I'm a technician and I practice electronic counter measures on several networks. This article is designed to help personal computer users understand a valid threat. When I publish examples of false positives in XSS due to poorly designed websites some will learn more. But, my sites are not poorly coded, they just are old and slow code. If you request this article be pulled I'll respect that but I'll expect a policy update from the advertiser regarding the location of where they store the data collected.)

Final Note: I might have expressed my opinion a bit hard on this subject and I would have liked to simply suggested not to disable the XSS functions. But, as I said in the IE XSS Filters article this is an issue of privacy more than anything you have ever experienced before. If I can create a script to copy your saved clipboard or copy what you type live into a box even if you don't click send is that spying on you? If you think not then XSS disable is just fine for you.

Webmasters that find their sites aren't working correctly now should have learned years ago about testing for XSS issues. It's not difficult to build websites that work with the filters set to on. Some IIS servers have started enabling the XSS on the server side to add more protection. You all know you can get viruses from some advertisement networks, now XSS is a big selling point. What is your username and password field name on your wordpress blog? name=password name=username maybe the next banner ad that shows "Select your state" will also copy your login. You will never know if you disable the only app you have that will tell you.

Ok, I know, enough is enough, but at least my pages with all the words are still 1/1000th of the size of that XSS advertisement. Have a great day.



XSS Filters is new for some browsers but it's not a new scripting process. XSS can be identified as Good and Bad. Most times it's a poorly scripted website or a simple mistake with a link. But my concern is a new advertisement format which actually promotes it's XSS (Cross Site Script) technique as a good marketing data mining method. Granted, it's good at what it does but when you look at the scripts you have to question if they are filtering enough to protect the privacy of those using the publisher’s website. Disclaimer: The code sample was taken from one of the advertisers. This is only used as an example and not to be taken as an endorsement or condoning of this practice.