Sumary
----------
A security flaw allows an attacker to execute XSS attacks evading the native filter AntiXSS.
Details
---------
A few days ago I found a way to circumvent the security system of the current latest version of Google Chrome that prevents XSS attack and I have left a temporary proof of concept here:
http://ec2-50-16-152-72.compute-1.amazonaws.com/chrome-filterxss-bypass.php
test.php
<p> var1: <?php echo $ _GET ['var1'];?> </ p>
<p> var2: <?php echo $ _GET ['var2'];?> </ p>
Filter Works: test.php?var1=<script>alert(document.cookie);/*&var2=*/</ script>
Filter Bypass: test.php?var1=<script>alert(document.cookie);x='&var2=';</ script>
The problem is that Chrome does not remove everything that is in front of <script> allowing an attacker manage to obfuscate the code after the code is injected.
http://trac.webkit.org/browser/trunk/Source/WebCore/html/parser/XSSAuditor.cpp?rev=119184#L91
Only filter comments in script tag.
To understand a little more of this we must first know that Google has provided a filter that prevents an attacker aprobecharse your browser, but ... How real is it in practice?
Taking a look on the internet ( https://www.google.cl/search?q=bypass%20chrome%20xss%20filter) I realized that over time there have been many ways to circumvent this security system and today is no exception, but end user then it really serves this added security system, the answer is NO and Microsoft knows very well also because since the release of Internet Explorer 8 have tried to create similar filters to prevent such attacks without positive results and that each security conference to be held somewhere in the world there is always someone who shows up with his new bypass your filter.
But ... What is XSS? ...
A technically XSS attack is when a web site prints everything that you send may inject malicious code can eg steal user sessions, etc. But even though this is purely because of a bad development WEB some companies opt for trying prevent such situations directly through their products (browsers).
Was it reported?
I did report waiting to give me something to google bounty program ( http://www.chromium.org/Home/chromium-security/vulnerability-rewards-program ) but was told that was not covered xD indeed said they had some things that if filtered and some not:
https://code.google.com/p/chromium/issues/detail?id=171114
> # 1 jsc ... @ chromium.org
>
> That is correct. The XSS auditor does not filter script Explicitly
injection split across multiple variables. At some point we plan on
posting a document explaining what the XSS auditor can and can not filter.
Is it 100% effective?
The answer is too light and is a resounding NO, is like the case of a virus, the same manufacturers say they can not ensure that detect more than 30% of all existing viruses, in the case of the filters you can ensure neither antixss nobody ever you can hack through an XSS filter is actually the factory and can not or do not want to delete, and will have to use it.
What are the risks of using anti XSS filters?
Some companies like Microsoft have had huge problems by imposing these filters to users because some attackers manage to make such a filter is placed against the same users can steal accounts websites have never had problems security such as universal XSS case of Internet Explorer ( http://blackhat.com/html/bh-eu-10/bh-eu-10-briefings.html#Lindsay ). In other issues of standards and programming since in some cases they send some pages to a section where you send HTML content parameters and filters antixss the interrupt, which goes against the standard HTTP protocol because that's what URL encodings and proper web programming.
Mozilla is very clear
Today Mozilla Firefox does not use any filter antiXSS, why?, Because they have clear, use an anti xss only attracts more hackers and hackers to try to break those rules and effortlessly possible, try to impose filters is like trying to cover the sun with one finger, XSS flaws are not the fault of the explorers but developers of websites, for otherwise we often want to test or teach people about how to take care of codes such situations but it is only possible from mozilla firefox and others that do not include such a filter.
From Mozilla Firefox recommend using NoScript addon ( https://wiki.mozilla.org/Security/Features/XSS_Filter ) for people who really want a filter and not imposed. As always worrying about what we want and not of what we consume.
(powered by Google Translator).
Mirror
--------
http://whk.drawcoders.net/index.php/topic,2889.0.html