Google Chrome 31.0 Webkit Auditor Bypass

2013.09.25
Credit: Rafay Baloch
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Title: Chrome 31.0 Webkit XSS Auditor Bypass # Product: Google Chrome # Author: Rafay Baloch @rafaybaloch And PEPE Vila ============ Description ============ Chrome XSS Auditor is a client side XSS filter used by google chrome to protect against XSS attacks. Chrome XSS filter has already been beaten a lot of times and there still exists lots of contexts where it fails. ============ Vulnerability ============ The vulnerability lies in the way people escape certain characters, while replacing certain characters with characters that would still yeild a valid javascript syntax. For instance, stripping out Single quotes, Double quotes etc with - would yield a valid javascript syntax and since the response won't match the output parameter. ================ Proof of concept ================ The following is a challenge setup by a gentle man with a nick "Strong boi": http://12342.site11.com/level2.php The expected solution was to use a well known unfixed bug in chrome and using both parameters a and b to execute the javascript. However, we noticed a different behaviour, when we injected an apostrophe. It was being converted to - and hence yielding a valid syntax and executing the javascript. So, this would work whenever the server side application would try replacing special characters to - or anything similar that would make the syntax valid. http://12342.site11.com/level2.php?a=%22%3E%3Cscript%3E'alert(0);%3C/script%3E Output Source: First search:<input type="text" name="a" value="<script>1-alert(0);</script>"/><br>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top