Editing field values in Developer Tools can lead to script execution
Reported by
baiju.d...@gmail.com,
May 13 2016
|
||||
Issue description1.on google chrome log into a website which has editable field.for example:https://scholar.google.com/ 2.go to inspect element for any of the field from profile 3.change the field value to "><img src=x onerror=prompt('0');> 4.XSS pop up is fired This happens in any website with editable field. checked the same with all the other browsers.This does not happen in mozilla,IE. also this does not happen with other Payloads like ><img src=x onerror=prompt('0');>
,
May 14 2016
Can't reproduce this so far -- do you have any extensions installed? Any DevTools extensions, perhaps?
,
May 14 2016
,
May 14 2016
No,I am not using any extensions in developer tools. Here is POC:http://screencast.com/t/YpmTycp2MLj
,
May 14 2016
Thank you for providing more feedback. Adding requester "caseq@chromium.org" for another review and adding "Needs-Review" label for tracking. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 16 2016
any updates?
,
May 16 2016
Well, this is not XSS. Call it self-XSS if you like, but having the code run in the page as a result of user action is DevTools' functionality by design. There's definitely more than one way to do it. |
||||
►
Sign in to add a comment |
||||
Comment 1 by elawrence@chromium.org
, May 13 2016Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Summary: Editing field values in Developer Tools can lead to script execution (was: Security: XSS when a field is edited with particular payload)