New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 740963 link

Starred by 2 users

Issue metadata

Status: Duplicate
Merged: issue 421786
Owner:
Closed: Aug 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

XSS Auditor bypass

Reported by lysio...@gmail.com, Jul 11 2017

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36

Steps to reproduce the problem:
1. Just open attached html file

What is the expected behavior?
No window should be displayed after passing unclosed tag.

What went wrong?
Looks like XSS Auditor doesn't block document.write() of incomplete tag.

Did this work before? N/A 

Chrome version: 59.0.3071.115  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Shockwave Flash 26.0 r0

If you close <img> properly then you can see: "The XSS Auditor blocked access to ... because the source code of a script was found within the request. The auditor was enabled as the server did not send an 'X-XSS-Protection' header." in DevTool
 

Comment 1 by lysio...@gmail.com, Jul 11 2017

xss-bypass.html
214 bytes View Download
Cc: brajkumar@chromium.org
Components: Blink>SecurityFeature>XSSAuditor
Labels: M-61 OS-Linux OS-Mac
Status: Untriaged (was: Unconfirmed)
Able to reproduce this issue on Windows-10, Ubuntu 14.04 and Mac OS  using chrome latest stable #59.0.3071.115 by following test case provided in the comment #1. By opening the test case observed 2 pop ups back to back saying "This page says:xss" and observed extra window opens.

This issue is issue seen on earlier version of chrome M35-35.0.1849.0 as well. Hence considering this is a non-regression issue and marking it as untriaged.

Thanks!

Comment 3 by mkwst@chromium.org, Aug 1 2017

Owner: tsepez@chromium.org
Status: Assigned (was: Untriaged)
I think this is similar to one you fixed, Tom. WDYT?
Mergedinto: 421786
Status: Duplicate (was: Assigned)
Still present in M61.

I think this is https://bugs.chromium.org/p/chromium/issues/detail?id=421786 , which needs a new owner (under blink parser).  Running this on a debug build, for example, trips an assert:

[1:1:0801/095110.314817:FATAL:HTMLToken.h(106)] Check failed: start <= end (19 vs. 0)
#0 0x563166d18e7d base::debug::StackTrace::StackTrace()
#1 0x563166d1740c base::debug::StackTrace::StackTrace()
#2 0x563166d7cb1a logging::LogMessage::~LogMessage()
#3 0x563172726918 blink::HTMLToken::Attribute::Range::CheckValid()
#4 0x56317274ff7d blink::HTMLToken::EndAttributeValue()
#5 0x56317274a5a8 blink::HTMLTokenizer::NextToken()
#6 0x5631727b8a3d blink::BackgroundHTMLParser::PumpTokenizer()
#7 0x5631727b9c9f blink::BackgroundHTMLParser::ResumeFrom()
#8 0x56317272c89e _ZN4base8internal13FunctorTraitsIMN5blink20BackgroundHTMLParserEFvNSt3__110unique_ptrINS3_10CheckpointENS4_14default_deleteIS6_EEEEEvE6InvokeIRKNS_7WeakPtrIS3_EEJS9_EEEvSB_OT_DpOT0_
#9 0x56317272c695 _ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIRKMN5blink20BackgroundHTMLParserEFvNSt3__110unique_ptrINS5_10C

Sign in to add a comment