View-Source: does not rewrite JavaScript URIs
Reported by
anasmahm...@gmail.com,
Mar 25 2017
|
|||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; rv:50.0) Gecko/20100101 Firefox/50.0 Steps to reproduce the problem: First of all make html page and enter this script "<a href="javascript:alert(document.location)" >Click Me</a>". Now our page shows 'click me' If we click on "Click Me" XSS popup showing link location means it's vulnerable to XSS, If our page don't allow popups means it's not vulnerable to XSS. OK Now we open this page in Google chrome or Chromium and press Ctrl+U or right click on the page and click on View page source. In view source of this page, browser makes this payload 'javascript:alert(document.location)' a link, when we click on this link XSS popup showing link location. OK What is the expected behavior? If our page have a link "http://www.example.com" so 'view source' of browser make the link like this view-source:http://www.example.com What went wrong? If our page have a link "http://www.example.com" so 'view source' of browser make the link as it is, means if we click the link through view source, browser load http://www.example.com instead of [view-source:http://www.example.com] Did this work before? N/A Chrome version: 57.0.2935.0 Channel: n/a OS Version: Windows 7 Flash Version: Shockwave Flash 10.2 r159 Firefox handle this situation correctly
,
Mar 25 2017
Attacker can use any website for this purpose because the vulnerability exist in view source. For ex: Attacker can make a malicious page and post into the site but the site block this link. Site doesn't allow alert popups or don't make scripts. Through view source it is possible. It is not an attack it's just example. Attack: Attacker trick victims to go into view source.Victim view the page source of site, click on malicious link which could result in crash dump of browser or goes to malware site directly(Open redirection),receive sensitive information like IP address,drive by download, trojan and virus etc For this purpose Attacker can use malware site link and data Scheme URIs to exploit.
,
Mar 26 2017
hmm, that's a lot of friction. If the attacker can social engineer users to view source, I'm sure they can social engineer them into something even worse. And even if users are tricked into view source and click on the malicious link, they are still protected by safe browsing (a.k.a interstitial will show). Anyway, that's just my 2 cents. I'll let ViewSource team to judge how severe this is.
,
Mar 26 2017
As described, this isn't a security vulnerability. If, as in #2, an attacker has the ability to post arbitrary HTML to a website (or JavaScript URIs of any sort) they need not play tricks with View Source to get the user to click on the links. The behavior described (failing to rewrite javascript:xx into view-source:javascript:xx) would only represent a security vulnerability if script execution in the view-source: context afforded the script additional permissions (e.g. allowed it to call extension URIs, navigate the user to chrome: URLs, etc) that would not be present when the markup is served via HTTP.
,
Mar 26 2017
,
Mar 27 2017
Re #4, remove security label. I'll let ViewSource component to decide if they want to close this issue or not.
,
Sep 20 2017
The simple fix to prevent JavaScript URIs being made clickable could be made in HTMLViewSourceDocument::AddRange. I wonder, however, whether it'd be safer to apply a CSP that denies all JavaScript execution on view-source pages.
,
Sep 21 2017
Issue 766986 has been merged into this issue.
,
Feb 6 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4f811848ab21dbbe39f64f82f61aa0e41c14a227 commit 4f811848ab21dbbe39f64f82f61aa0e41c14a227 Author: Eric Lawrence <elawrence@chromium.org> Date: Tue Feb 06 17:37:23 2018 Sanitize JavaScript links in HTMLViewSourceDocument To limit mischief, replace the target of JavaScript-scheme links in HTMLViewSourceDocument with about:blank. Bug: 705206 , 808407 Change-Id: I185006d0cb29caabcd08dd9d5b9324357c79efaa Reviewed-on: https://chromium-review.googlesource.com/900099 Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Eric Lawrence <elawrence@chromium.org> Cr-Commit-Position: refs/heads/master@{#534705} [modify] https://crrev.com/4f811848ab21dbbe39f64f82f61aa0e41c14a227/third_party/WebKit/Source/core/html/HTMLViewSourceDocument.cpp
,
Feb 6 2018
,
Feb 6 2018
Requesting merge to M65. This is an extremely simple and safe fix which acts as an attack-surface-reduction.
,
Feb 7 2018
Checked the issue on latest canary 66.0.3342.0 on Ubuntu 14.04 as per comment#0. Followed these steps. 1. Created an .html file with the script given in C#0 2. Opened the file in chrome 3. Clicked on "Click me" 4. Then Ctrl+U(View page source) by opening the .html file in a new tab. We have observed similar behaviour on pressing Ctrl+U on both latest stable(64.0.3282.140) and Latest canary(66.0.3342.0). Note: On clicking "Click me" the pop-ups on two versions were little different as shown in screen cast. @elawrenc: Could you please let us know if the steps followed in order to verify the issue is correct. Please let us know if anything missed and help us verifying the issue. Thanks!
,
Feb 7 2018
At 0:33 or 0:44 in the video, when you're on the view-source page, you need to click the link in the page that reads "javascript:alert(....". The expected behavior (after the fix) is that a new tab opens to "about:blank".
,
Feb 7 2018
Through View-Source, an attacker may perform RFD and also hack or hijack victim browser through javascript injection.But victim needs to click a link. Anyway, It's a 'bug' in Google Chrome browser and I don't know what's the severity of this bug on security implications. Thanks
,
Feb 7 2018
,
Feb 7 2018
Your change meets the bar and is auto-approved for M65. Please go ahead and merge the CL to branch 3325 manually. Please contact milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 7 2018
Pls merge your change to M65 branch 3325 ASAP so we can pick it up for next M65 Beta release. Thank you.
,
Feb 7 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/bdad902d8163ca5a723d930d1f22bea61669dd72 commit bdad902d8163ca5a723d930d1f22bea61669dd72 Author: Eric Lawrence <elawrence@chromium.org> Date: Wed Feb 07 19:06:40 2018 Sanitize JavaScript links in HTMLViewSourceDocument (M65 merge) To limit mischief, replace the target of JavaScript-scheme links in HTMLViewSourceDocument with about:blank. Bug: 705206 , 808407 Change-Id: I185006d0cb29caabcd08dd9d5b9324357c79efaa Reviewed-on: https://chromium-review.googlesource.com/900099 Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Eric Lawrence <elawrence@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#534705}(cherry picked from commit 4f811848ab21dbbe39f64f82f61aa0e41c14a227) Reviewed-on: https://chromium-review.googlesource.com/907408 Reviewed-by: Eric Lawrence <elawrence@chromium.org> Cr-Commit-Position: refs/branch-heads/3325@{#366} Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} [modify] https://crrev.com/bdad902d8163ca5a723d930d1f22bea61669dd72/third_party/WebKit/Source/core/html/HTMLViewSourceDocument.cpp
,
Feb 9 2018
Verified the fix on Mac 10.13.1, Windows 10 and Ubuntu 14.04 on Chrome version #66.0.3344.0 as per the comment#13 Attaching screen cast for reference. Observed "about:blank" tab opened after clicking the link. Hence, the fix is working as expected. Adding the verified labels. Thanks
,
Feb 14 2018
Verified the fix on Mac 10.13.1, Windows 10 and Ubuntu 14.04 on Chrome version #65.0.3325.73 as per the comment#13 Attaching screen cast for reference. Observed "about:blank" tab opened after clicking the link. Hence, the fix is working as expected. Adding the verified labels. Thanks |
|||||||||||||
►
Sign in to add a comment |
|||||||||||||
Comment 1 by jialiul@chromium.org
, Mar 25 2017