Google Chrome 31.0 Webkit Auditor Bypass

Credit: Rafay Baloch
Risk: Low
Local: No
Remote: Yes

# Title: Chrome 31.0 Webkit XSS Auditor Bypass # Product: Google Chrome # Author: Rafay Baloch @rafaybaloch And PEPE Vila ============ Description ============ Chrome XSS Auditor is a client side XSS filter used by google chrome to protect against XSS attacks. Chrome XSS filter has already been beaten a lot of times and there still exists lots of contexts where it fails. ============ Vulnerability ============ The vulnerability lies in the way people escape certain characters, while replacing certain characters with characters that would still yeild a valid javascript syntax. For instance, stripping out Single quotes, Double quotes etc with - would yield a valid javascript syntax and since the response won't match the output parameter. ================ Proof of concept ================ The following is a challenge setup by a gentle man with a nick "Strong boi": The expected solution was to use a well known unfixed bug in chrome and using both parameters a and b to execute the javascript. However, we noticed a different behaviour, when we injected an apostrophe. It was being converted to - and hence yielding a valid syntax and executing the javascript. So, this would work whenever the server side application would try replacing special characters to - or anything similar that would make the syntax valid.'alert(0);%3C/script%3E Output Source: First search:<input type="text" name="a" value="<script>1-alert(0);</script>"/><br>

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022,


Back to Top