# Title: Chrome 31.0 Webkit XSS Auditor Bypass # Product: Google Chrome # Author: Rafay Baloch @rafaybaloch And PEPE Vila ============ Description ============ Chrome XSS Auditor is a client side XSS filter used by google chrome to protect against XSS attacks. Chrome XSS filter has already been beaten a lot of times and there still exists lots of contexts where it fails. ============ Vulnerability ============ The vulnerability lies in the way people escape certain characters, while replacing certain characters with characters that would still yeild a valid javascript syntax. For instance, stripping out Single quotes, Double quotes etc with - would yield a valid javascript syntax and since the response won't match the output parameter. ================ Proof of concept ================ The following is a challenge setup by a gentle man with a nick "Strong boi": http://12342.site11.com/level2.php The expected solution was to use a well known unfixed bug in chrome and using both parameters a and b to execute the javascript. However, we noticed a different behaviour, when we injected an apostrophe. It was being converted to - and hence yielding a valid syntax and executing the javascript. So, this would work whenever the server side application would try replacing special characters to - or anything similar that would make the syntax valid. http://12342.site11.com/level2.php?a=%22%3E%3Cscript%3E'alert(0);%3C/script%3E Output Source: First search:<input type="text" name="a" value="<script>1-alert(0);</script>"/><br>