Issue metadata
Sign in to add a comment
|
Security: Bypassing Chrome XSS Auditor by importing existing scripts that manipulate DOM
Reported by
jou...@gmail.com,
Feb 21 2017
|
||||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS The Chrome XSS Auditor does not block <script src=...> tags if the source is a relative URL without a query string. This can be used to load any JS files from that origin. It's often possible to find scripts that manipulate the DOM unsafely in the case of an HTML injection, and bypass the XSS Auditor. The behavior is probably intended to avoid false positives but I'm not sure what kind of cases those are. It makes defeating XSS Auditor possible relatively often (seems to me at least). Maybe a downside not worth the benefits? I have come across a few XSS cases recently where I've been able to exploit this feature. Making the exploits can be time-consuming but it's not impossible that "recipes" for commonly used JS libraries will start surfacing. Quick googling didn't turn up any discussion about this so I thought I'd write something about it on our website. Before doing that however I decided to bring this up with you, just in case you want to reconsider this design choice. VERSION Chrome Version: 56.0.2924.87 (stable) Operating System: Linux Ubuntu 16.04.2 LTS REPRODUCTION CASE https://vulnerable.server/xss.php?a=<script src=/library.js></script><div class=...> I included a couple of real-world examples in my email to security@google.com.
,
Feb 21 2017
Per our vulnerability guidelines, XSS Auditor bypasses are not security bugs.
,
Feb 22 2017
We can add a use-counter pretty easily. *shrug* Might as well do so.
,
Feb 23 2017
,
Feb 24 2017
,
Apr 12 2017
Is this somehow different than Issue 392964?
,
May 6 2017
Issue 392964 has the prerequisite "if a website lets you upload arbitrary text files". I reported a problem that doesn't require arbitrary uploads. It requires that there is JavaScript under the webroot that manipulates the DOM (controllable by the attacker) in an unsafe way. Example in pseudoish code: // example.js somediv.innerHTML=somelink.getAttribute('data-title'); If there's an XSS somewhere on the site, the attacker can inject something like: <div id="somediv"></div> <a id="somelink" data-title="<svg onload=alert('xss'); /> "></a> <script src="/example.js"> The attacker builds DOM elements that contain unexpected things and then loads an existing script (anywhere on the site) that manipulates those elements, trusting they are "sane".
,
May 8 2017
This is an assignment to innerHTML, which is a DOM-based XSS, not a reflected xss. We disable XSSAuditor for document fragments for performance reasons, and unfortunately, XSSAuditor will never be able to catch this.
,
May 8 2017
Blocking reflected "<script src=...>" would stop the example attack. In the real-world example cases the vulnerable page doesn't normally load the unsafe JS. The <script> tag to do the loading is injected. Blocking doesn't happen because (your link): // If the resource is loaded from the same host as the enclosing page, it's // probably not an XSS attack But it is an attack. I was wondering what kind of website would legitimately pass "<script src=...>" in query parameters. Probably not that many. Anyway, you probably understand the potential problems of fixing and not fixing it so I have no further comments. Thanks! |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by tsepez@chromium.org
, Feb 21 2017Owner: mkwst@chromium.org
Status: Available (was: Unconfirmed)