XSS Auditor bypass with link + SVG animations
Reported by
masatoki...@gmail.com,
Apr 7 2017
|
|||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 Steps to reproduce the problem: 1. Go to https://vulnerabledoma.in/char_test?body=%3Csvg%3E%3Canimate%20href=%23x%20attributeName=href%20values=%26%23x3000%3Bjavascript:alert(1)%20/%3E%3Ca%20id=x%3E%3Crect%20width=100%20height=100%20/%3E%3C/a%3E 2. Click the black square. JavaScript is run. The vector is: <svg><animate href=#x attributeName=href values= javascript:alert(1) /><a id=x><rect width=100 height=100 /></a> What is the expected behavior? It should be blocked by XSS Auditor What went wrong? It is not blocked by XSS Auditor Did this work before? N/A Chrome version: 57.0.2987.133 Channel: stable OS Version: 10.0 Flash Version:
,
Apr 11 2017
Able to reproduce the issue on Windows 10, mac 10.12.3 and Ubuntu 14.04 using chrome reported version #57.0.2987.133 and latest canary #59.0.3067.0. Bisect Information: ===================== Good build: 50.0.2648.0 Revision(375079) Bad Build : 50.0.2649.0 Revision(375307) Change Log URL: https://chromium.googlesource.com/chromium/src/+log/896099f64009e6f10a0a69263b65ff44d0064a42..a1c7eb7f23d0a275d223144a1cffbf3714d8982f From the above change log suspecting below change Review url: https://codereview.chromium.org/1681553002 fs@ - Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner. Thanks...!!
,
Apr 11 2017
https://codereview.chromium.org/1681553002 introduced non-XLink namespaced 'href', so prior to that the testcase most certainly wouldn't "work" for that reason. Whether 'xlink:href' would make a difference or not I don't know. (I thought the XSS auditor filtered on 'values'.)
,
Apr 11 2017
It looks like the SMIL engine and the XSS auditor has a differing opinions on what constitutes whitespace, so the former treats U+3000 as whitespace and drops it from the value, while for the latter it's not considered whitespace, so the javascript: URL isn't detected. I think I'll switch the SMIL 'values' parsing into using the HTML definition of whitespace (since that's consistent with almost all other attribute parsing.)
,
Apr 11 2017
,
Apr 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/cd2205139c375696291bffcf86d27ef4e83d7994 commit cd2205139c375696291bffcf86d27ef4e83d7994 Author: fs <fs@opera.com> Date: Tue Apr 11 17:08:49 2017 Strip only ASCII spaces from SMIL 'values' attributes This is more consistent with other microsyntaxes used for attribute parsing, while also making it consistent with the XSSAuditor. BUG= 709365 , 710460 Review-Url: https://codereview.chromium.org/2807193003 Cr-Commit-Position: refs/heads/master@{#463662} [add] https://crrev.com/cd2205139c375696291bffcf86d27ef4e83d7994/third_party/WebKit/LayoutTests/svg/animations/animate-values-whitespace.html [modify] https://crrev.com/cd2205139c375696291bffcf86d27ef4e83d7994/third_party/WebKit/Source/core/svg/SVGAnimationElement.cpp
,
Apr 12 2017
,
Apr 18 2017
Verified the issue on Mac os 10.12.3 , ubuntu 14.04 and windows 7 using chrome Dev M59 #59.0.3071.9 and issue is fixed. On click of the black square , It is blocked by XSS Auditor .Attached screencast for reference. Adding TE-Verified labels. Thanks!
,
Apr 19 2017
Issue 711197 has been merged into this issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by elawrence@chromium.org
, Apr 7 2017Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug