New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 677734 link

Starred by 1 user
Status: Duplicate
Merged: issue 517547
Owner:
tsepez@chromium.org
Closed: Feb 2017
Cc:
mkwst@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Bug



Sign in to add a comment

XSS Auditor Bypass with SVG animations

Reported by sirdarck...@gmail.com, Jan 1 2017 
Steps to reproduce the problem:
1. Go to http://evilwebsite.com/xss.php?html_xss=<svg><set%20href=%23script%20attributeName=href%20to=data:,alert(1337)%20/><script%20id=script%20src=foo></script>
2. See the alert
3. Rejoice

What is the expected behavior?
No alert()

What went wrong?
XSS Auditor isn't aware of SVG XSS payloads. See html5sec.org for more.

Did this work before? N/A 

Chrome version: 55.0.2883.91  Channel: stable
OS Version: 
Flash Version:

Comment 1 by elawrence@chromium.org, Jan 1 2017

Components: Blink>SecurityFeature
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Unrestricting; XSS Auditor bypasses are not considered security vulnerabilities.
https://www.chromium.org/Home/chromium-security/security-faq#TOC-Are-XSS-filter-bypasses-considered-security-bugs-

Comment 2 by mkwst@chromium.org, Feb 14 2017

Labels: -Pri-2 OS-Chrome OS-Linux OS-Mac OS-Windows Pri-3
Owner: tsepez@chromium.org
Status: Assigned (was: Unconfirmed)
Tom, WDYT?

Comment 3 by tsepez@chromium.org, Feb 17 2017

Mergedinto: 517547
Status: Duplicate (was: Assigned)
I've been stumped on this one for a while, though the SVG is considered a separate origin, eg. try alerting document.domain in your payload.

Comment 4 by sirdarck...@gmail.com, Feb 18 2017 

Please cc me in the other bug.

But about your last comment, I don't think so. The script runs same origin.

Comment 5 by tsepez@chromium.org, Feb 21 2017

Cc: mkwst@chromium.org
Yeah, you're right.  My memory must be faulty.

Sign in to add a comment