Event 1046 - Cross-Site Scripting Filter

Applies To: Windows 7, Windows Vista

Cross-site scripting attacks occur when one Web site injects, or adds, JavaScript to otherwise legitimate requests to another Web site. The original request is generally innocent, such as a link to another page or a Common Gateway Interface (CGI) script providing a common service (such as a guestbook). The injected script generally attempts to access privileged information or services that the second Web site does not intend to allow. The response or the request generally reflects results back to the malicious Web site. The XSS Filter, a feature new to Windows® Internet Explorer® 8, detects JavaScript in URL and HTTP POST requests. If JavaScript is detected, the XSS Filter searches evidence of reflection, information that would be returned to the attacking Web site if the attacking request were submitted unchanged. If reflection is detected, the XSS Filter sanitizes the original request so that the additional JavaScript cannot be executed.

Cross-site scripting can enable attacks such as:

  • Cookie theft, including the theft of session cookies that can lead to account hijacking.

  • Monitoring keystrokes input to the victim Web site or application.

  • Performing actions on the victim Web site on behalf of the victim user. For example, an XSS attack on a user's e-mail Web site might enable an attacker to read and forward e-mail messages, set new calendar appointments, and so on.

Note

For more information and examples, see the Event 1046 - Cross-Site Scripting Filter topic from Internet Explorer Application Compatibility.

When Is This Event Logged?

This event is logged when Internet Explorer detects JavaScript in a URL or HTTP POST request that also contains evidence of reflection to return user information to a different location.

Remediation

You can disable this feature by setting the following HTTP response header:

X-XSS-Protection: 0

The user can also control the XSS Filter, by using the Internet Control Panel.

Note

By default, this filter is turned on for the Restricted, Internet, and Trusted zones.

What Happens If I Disable This Security Feature?

If you disable this security feature, you will be more prone to cross-site scripting attacks. Disabling this feature should only be used as a temporary measure while your site is redesigned to avoid the reflection behavior being targeted by this security feature. It may also be used during troubleshooting, to compare the behavior of the application when the feature is enabled and when it is disabled. It is not recommended that this feature be left disabled on an ongoing basis.

See Also

Concepts

Known Internet Explorer Security Feature Issues