DerbyCon 4.0 - IE XSS Filter Bypass

The demo site has been taken down.

The deliberately vulnerable PHP code can be obtained from GitHub (link below).

DerbyCon 4.0 Presentation Slides (.pdf)

You can download all of the files here: (MIT License)

URLs in the Presentation Slides:

Hexadecimal Encodings: HTML 4.0 Specification

Decimal Encodings: HTML 2.0 Specification

Named Entity Encodings: HTML 2.0 Specification ("Numeric and Special Graphic Entity Set")

URL/URI Encodings: RFC 1630 (page 7)

Content Security Policy 1.0

Content Security Policy: Internet Explorer Support

Microsoft's Internet Explorer XSS Filter Design Philosophy (note: this is currently was misspelled in the slides, an updated version with a correct spelling will be uploaded shortly has been uploaded)

Contact Me: