New issue
Advanced search Search tips

Issue 659019 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 81697
Owner: ----
Closed: Oct 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: JavaScript URIs may be entered in the address bar

Reported by mukulmal...@gmail.com, Oct 25 2016

Issue description


VULNERABILITY DETAILS:-
XSS in Google chrome

VERSION:-
Google Chrome Version: 53.0.2785.143 m (64-bit)
Operating System: Windows 10 (64-bit)
Default search engine: https://www.google.co.in 

REPRODUCTION CASE:-

Hi
 
1. OS-Windows 10/ Browser - Google chrome 

2. Open google chrome.

3. Enter the XSS payload like javascript:alert(1) in chrome browser's
    address bar(attaching image)

4. Now you will see www.google.co.in says  XSS , will pop up (attaching Image ). 

5. I am attaching images of POC.

I hope you will able to reproduce it.
Look forward to hear from you.

Thanks
Mukul Kumar Lohar
(mukulmalviya2@gmail.com)
 
googlexss1.jpg
202 KB View Download
googlexss2.jpg
209 KB View Download
Labels: -Restrict-View-SecurityTeam
Mergedinto: 656749
Status: Duplicate (was: Unconfirmed)
Summary: Security: JavaScript URIs may be entered in the address bar (was: Security: XSS vulnerability in Google Chrome)
Thanks for the report. The ability of the user to run script in documents by using the Developer Tools console or by entering a JavaScript URI in the Omnibox is "Working as Intended" behavior.

Chrome and other browsers do undertake some efforts to prevent *paste* of script URLs in the omnibox (to limit social-engineering: https://blogs.msdn.microsoft.com/ieinternals/2011/05/19/socially-engineered-xss-attacks/) but users are free to invoke script against themselves using either the address bar or the DevTools console.

Project Member

Comment 2 by sheriffbot@chromium.org, Jan 31 2017

Labels: allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Mergedinto: -656749 81697

Sign in to add a comment