Software and web application security

January 11, 2007

Internet Explorer whitespace-as-comment hack to bypass input filters

Filed under: penetration testing, software security, web apps — chrisweber @ 12:02 am

When testing for XSS (cross-site scripting) issues, you often need to bypass filters and perform different sorts of encodings and other trickery. To be a good tester you also need to know how the browsers you’re concerned with behave differently. In Internet Explorer 6.0 there’s a behavior that’s allowed seemingly impassible input validation filters to be bypassed. Note that the issue is not the browser’s fault, it’s the fault of an improperly designed input validation mechanism on the server. Okay to illustrate the point.

You’re testing a web app that has an input field. Some script tags are allowed but <img src=”something”> is not. By replacing the whitespace with a comment, your code is accepted. When returned to the browser, IE 6.x, the comment is interpreted as whitespace and the code is executed fine. Test it out:

//Start HTML
<img/*comment*/src="javascript:alert('img tag')">
//End HTML

This trick can be useful for more than just bypassing filters…



  1. Bush and the Republicans were not protecting us on 9-11, and we aren’t a lot safer now. We may be more afraid due to george bush, but are we safer? Being fearful does not necessarily make one safer. Fear can cause people to hide and cower. What do you think? What is he doing to us, and what is he doing to the world?
    If ever there was ever a time in our nation’s history that called for a change, this is it!
    We have lost friends and influenced no one. No wonder most of the world thinks we suck. Thanks to what george bush has done to our country during the past three years, we do!

    Comment by Antibush — February 16, 2007 @ 2:43 am

  2. Cool…

    Comment by Dimitris — September 2, 2007 @ 3:26 pm

  3. interesting

    Comment by Yanni — September 5, 2007 @ 7:57 pm

  4. mm.. just wanna say thank you

    Comment by bogsSnony — December 5, 2007 @ 4:16 pm

  5. very interesting, but I don’t agree with you

    Comment by Idetrorce — December 15, 2007 @ 2:11 pm

  6. Most panties commiserated after numeric girls, admirably fourteen or fifteen jessica simpson and nick lachey music video olds, and even Kath and Claire figured it wasn’t in hotly cooped to slime after a technique of that age.

    Comment by KingUarnill — February 16, 2008 @ 1:33 pm

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Blog at

%d bloggers like this: