Google Chrome Anti-XSS bypass through HTTP Parameter Pollution (HPP) |
||||||
Issue descriptionChrome Version: Version 60.0.3112.50 (Official Build) beta (64-bit) OS: All What steps will reproduce the problem? Browse to: http://xss.untrusted.com/xss?id=%3Cscript%20src=data:&id=alert(1)%3E%3C/script%3E What is the expected result? XSS blocked by the XSS auditor. What happens instead? XSS executes. It appears that this is a regression of an old bug: https://bugs.chromium.org/p/chromium/issues/detail?id=118808 Well, at least that bug is resolved "fixed" but the issue still reproduces. (I'm biased given my work on the IE XSS filter, but...) I would say that HPP is pervasive enough that the auditor really needs to address it in order to provide a credible defense against reflected XSS.
,
Nov 10 2017
,
Nov 10 2017
,
Nov 10 2017
,
Nov 13 2017
Looks like this one fell through the cracks, sorry. Can you give me the exact reflection in the page text so to be sure we're on the same page, so to speak? I didn't see anything returned from the example url in the original description.
,
Nov 14 2017
It's hpp, in this case the id parameters from the GET get concatenated server side with a comma, creating a valid data: url for the script.
,
Nov 21 2017
I'm guessing you meant <script src=data:,alert(1)></script> is what appears in the page. XSSAuditor is extremely sensitive to subtle changes in punctuation, which is why I asked for the exact page contents rather than an explanation.
,
Feb 18 2018
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by sheriffbot@chromium.org
, Jul 13 2017