XSS Auditor bypass with javascript: base URL
Reported by
masatoki...@gmail.com,
May 9 2017
|
|||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36 Steps to reproduce the problem: To use this vector, the following conditions are needed: 1. The page has a simple reflected XSS. 2. A whitespace is just behind the injection point. 3. A single/double quote is behind the injection point. I created the page which has these conditions: https://vulnerabledoma.in/xss_auditortest?test=5&q=[XSS_HERE] <div> [XSS_HERE] </div><div id="x">AAA</div> The bypass vector is: https://vulnerabledoma.in/xss_auditortest?test=5&q=%3Ca%20href=/**/alert%281%29%3ECLICK%3C/a%3E%3Cbase%20href=%22javascript:%5C <div> <a href=/**/alert(1)>CLICK</a><base href="javascript:\ </div><div id="x">AAA</div> When you click the "CLICK" text, JavaScript is run. I think the `javascript:` URL is not used as the base URL in any web pages. The use of `data:` URL as the base URL is refused on the latest Chrome: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/dom/Document.cpp?l=3563&rcl=2fc330d0b93d4bfd7bd04b9fdd3102e529901f91 In the same way as this, I think we can refuse the use of javascript: URL as the base URL. What is the expected behavior? What went wrong? It is not blocked by XSS Auditor. Did this work before? N/A Chrome version: 58.0.3029.96 Channel: stable OS Version: 10.0 Flash Version: Shockwave Flash 25.0 r0
,
May 9 2017
,
May 9 2017
Over to OWP with the comment: We should just block <base href="javascript:"> rather than relying on XSSAuditor to catch this case.
,
Nov 10 2017
,
Feb 1 2018
I believe this is duplicate of Issue 796215 and thus fixed by the CL that landed forbidding JavaScript: as a base?
,
Feb 2 2018
|
|||
►
Sign in to add a comment |
|||
Comment 1 by aarya@google.com
, May 9 2017Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Owner: tsepez@chromium.org
Status: Assigned (was: Unconfirmed)