Some non-ascii chars are interpreted as the valid attribute values in http-equiv
Reported by
masatoki...@gmail.com,
Jan 4 2017
|
||||||||||
Issue descriptionVULNERABILITY DETAILS The following tags work as the `meta refresh` and `meta Set-Cookie` in spite of the http-equiv attribute value has the non-ascii characters: <meta http-equiv="refreſh" content="0;url=https://attacker/"> <meta http-equiv="ſet-CooKie" content="test=1"> You can test this behavior from: https://vulnerabledoma.in/char_test?xss=0&charset=utf-8&body=%3Cmeta%20http-equiv=%22refre%C5%BFh%22%20content=%220%3Burl=https://example.com/%22%3E https://vulnerabledoma.in/char_test?xss=0&charset=utf-8&body=%3Cmeta%20http-equiv=%22%C5%BFet-Coo%E2%84%AAie%22%20content=%22test=1%22%3E%20%3Cbutton%20onclick=alert%28document.cookie%29%3Ealert%28document.cookie%29%3C/button%3E The non-ascii characters are included as follows: refre [U+017F] h [U+017F] et-Coo [U+212A] ie Due to this behavior, it might break some implementations of the blacklist based sanitizer. The expected behavior is that Chrome doesn't interpret the non-ascii characters as the valid attribute value in the http-equiv attribute. Could you confirm this bug? Thanks! VERSION 57.0.2970.0(Official Build) canary(64 bit)
,
Jan 4 2017
For clarity, I added the <meta charset="utf-8"> in the following link: https://vulnerabledoma.in/char_test?xss=0&charset=utf-8&body=%3Cmeta%20charset=%22utf-8%22%3E%3Cmeta%20http-equiv=%22refre%C5%BFh%22%20content=%220%3Burl=https://example.com/%22%3E https://vulnerabledoma.in/char_test?xss=0&charset=utf-8&body=%3Cmeta%20charset=%22utf-8%22%3E%3Cmeta%20http-equiv=%22%C5%BFet-Coo%E2%84%AAie%22%20content=%22test=1%22%3E%20%3Cbutton%20onclick=alert%28document.cookie%29%3Ealert%28document.cookie%29%3C/button%3E
,
Jan 4 2017
>To clarify its security implications" what blacklist based sanitizer are you referring to? For example, the developers want the users to use many HTML in the their application. But they don't want the attacks such as the XSS. At such time, the blacklist approach is universally used. I haven't seen a actual example which is vulnerable by this bug yet. But considering XSS Auditor blocks only meta tags which has the `Set-Cookie` and `Refresh`, basically, if the application blocks only both http-equiv values, we can say almost safe against the attack via meta tags. This bug breaks that premise. (FYI, Auditor can block both non-ascii variations because it uses the same comparison function named `equalIgnoringCase`.) Also, the `equalIgnoringCase` function is used many places. I think it has potentially another risks in many places.
,
Jan 11 2017
Thank you for providing more feedback. Adding requester "mmoroz@google.com" for another review and adding "Needs-Review" label for tracking. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 11 2017
,
Jan 13 2017
I'm not sure what the ideal behavior is here. We don't generally treat these kinds of issues as security vulnerabilities for the reasons mentioned at https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Are-XSS-filter-bypasses-considered-security-bugs- (this isn't exactly the same case, but the rationale applies here as well). I'll leave it up to others to decide what we should do here, though.
,
Jan 13 2017
,
Jan 13 2017
,
Jan 16 2017
,
Jan 16 2017
Had chat offline. Note to self. - We should fix the issue. -- Using equalIgnoringCase is too loose. -- I think its safer to have the meta trigger only for restricted ascii set. - This isn't a *Chromium/Blink* security bug. -- Per policy: https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Are-XSS-filter-bypasses-considered-security-bugs- -- Although XSS filter here is more of third-parties.
,
Jan 17 2017
,
Feb 10 2017
,
Mar 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fb07ed0749ddbb4791c03e9a1b996ec1b0fe191b commit fb07ed0749ddbb4791c03e9a1b996ec1b0fe191b Author: lpy <lpy@chromium.org> Date: Fri Mar 17 19:48:03 2017 Use equalIgnoringASCIICase in HttpEquiv. Using equalIgnoringCase is too loose, it's safer to have restricted ASCII set here. BUG= 678150 Review-Url: https://codereview.chromium.org/2690703002 Cr-Commit-Position: refs/heads/master@{#457861} [add] https://crrev.com/fb07ed0749ddbb4791c03e9a1b996ec1b0fe191b/third_party/WebKit/LayoutTests/http/tests/misc/meta-http-equiv-ascii-charset-expected.txt [add] https://crrev.com/fb07ed0749ddbb4791c03e9a1b996ec1b0fe191b/third_party/WebKit/LayoutTests/http/tests/misc/meta-http-equiv-ascii-charset.html [modify] https://crrev.com/fb07ed0749ddbb4791c03e9a1b996ec1b0fe191b/third_party/WebKit/Source/core/loader/HttpEquiv.cpp
,
Mar 19 2017
This was fixed. |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by mmoroz@google.com
, Jan 4 2017Components: Blink>HTML>Parser
Labels: Needs-Feedback Pri-2