VULNERABILITY DETAILS

The XSS Auditor can be bypassed by injecting a Javascript URI into an existing hyperlink <a> tag on a vulnerable page.

Eg. A page exists with a query parameter (for example returnURL), this query parameter is naively trusted (a situation also vulnerable to an open redirect exploit, but irrelevant to this bypass), this query parameter is then supplied as a hyperlink destination/href parameter to an <a> tag on the page (eg a return to previous page link). When the user clicks the vulnerable hyperlink the code that was present as a query parameter will execute within the context/origin of the page.

The query parameter can also be used to change the styling of the page in order to increase the odds of the user interacting with the vulnerable element and represents a viable attack strategy.

The XSS auditor currently successfully filters Javascript URI's in newly created hyperlink tags (eg an exploit that injects a hyperlink onto the page, which executes code when interacted with). This leads me to believe this is a genuine bypass for this particular scenario.

VERSION
Chrome Version: 53.0.2785.143 m (64-bit) + stable
Operating System: Windows 10 v10586.589

Has also been reproduced on Chrome stable, on Mac OSX Sierra.

REPRODUCTION CASE

Loads a simple page, with Javascript content in the request parameters (eg. typical XSS attack), upon clicking the "Return To Home Page" hyperlink the browser will happily execute the Javascript content present in the request on the same origin as the page. This bypasses the protections offered by the XSS Auditor.

http://scratchpad.dpeckett.com/xss-auditor-bypass-poc/example?returnUrl=javascript:alert(%27Executing%20With%20Origin:%20%27%20%2B%20window.location.origin)