New issue
Advanced search Search tips

Issue 674503 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Dec 2016
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

Saving JSON as HTML and reopening may execute script

Reported by norwinbo...@gmail.com, Dec 15 2016 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

Steps to reproduce the problem:
xss payload ----"><img src=x onerror=alert('norwin_gwapo')>
please see this link:
https://home.sophos.com/server/status/?{}&category=----"><img src=x onerror=alert('norwin_gwapo')>
load that link then save that page , upon saving the page   view it .

reference:
https://evanricafort.blogspot.com/2016/04/universal-xss-vulnerability-in-comodo.html

What is the expected behavior?
the expected behavior is the script will not be executed

What went wrong?
when page being saved and viewed locally ,the will  be executed

Did this work before? Yes latest version

Chrome version: 55.0.2883.87  Channel: stable
OS Version: 10.0
Flash Version: Shockwave Flash 24.0 r0
STEP1.png
53.0 KB View Download
step2.png
81.1 KB View Download
step3.png
37.4 KB View Download
UXSS.html
152 bytes View Download

Comment 1 by elawrence@chromium.org, Dec 15 2016

Summary: Saving JSON as HTML and reopening may execute script (was: i found UXSS)
The claim here is that, if the server returns a JSON response, and the user saves it with a HTML file extension, upon reopening the file, any script embedded in that JSON text will be executed as script.

This isn't a UXSS (it requires extensive user interaction, and only sites which serve JSON files with reflected text are vulnerable.)

The script that executes upon reload is of limited privilege, due to how Chrome evaluates Same-Origin-Policy for file:// sourced HTML documents.

Comment 2 by mbarbe...@chromium.org, Dec 15 2016

Labels: -Restrict-View-SecurityTeam allpublic
Status: WontFix (was: Unconfirmed)
As mentioned in c#1, this is not UXSS. It doesn't execute in the context of the origin of the site it was saved from (the X in XSS).

When attempting to demonstrate UXSS using something like "console.log(document.domain);" can lend more insight into what's happening than popping an alert box with an arbitrary string.

Comment 3 by norwinbo...@gmail.com, Dec 15 2016 

hi sir why wont fix, is this not a bug that warrant for fix?

The Only Stable In This World Is Changed.

Sign in to add a comment