XSS Auditor bypass with newline and -->
Reported by
sirdarck...@gmail.com,
Aug 8 2017
|
||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 Example URL: http://evilwebsite.com/xss.php?html_xss=%3Cscript%3Ealert(1)%0a--%3E&attr_xss=1&js_xss=1 Steps to reproduce the problem: http://evilwebsite.com/xss.php?html_xss=%3Cscript%3Ealert(1)%0a--%3E&attr_xss=1&js_xss=1 What is the expected behavior? it shouldn't alert What went wrong? it alerts Does it occur on multiple sites: Yes Is it a problem with a plugin? No Did this work before? N/A Does this work in other browsers? No n/a Chrome version: 60.0.3112.90 Channel: stable OS Version: Flash Version:
,
Aug 8 2017
I'd need to see the view-source of the reflected page to be sure about what's going on. thanks.
,
Aug 8 2017
,
Aug 9 2017
--> is a comment in JavaScript. if you need to see the PHP code of the page, there's a "source" link in the page, although I don't think you need it :)
,
Aug 9 2017
in case there's too much code.. the attack is: <script>alert(1) --><a href="1">click</a><script>var m="1"; document.title=m;</script> where alert(1) --> is the injection
,
Aug 9 2017
Thanks, C#5 is exactly what I need. XSSAuditor has to cope with various server-side transformations, (e.g. urldecodes) and having the specific output is critical to ensure there isn't any additional funny stuff going on.
,
Aug 9 2017
Weird, I would have thought that --> would parse as two tokens -- and > d8> x = 3 3 d8> x-- > 3 false d8> x-->3 false d8> x 1 yet at the start of the line it does appear to be introducing a comment. A quick web search didn't give me any hits for such syntax. Did you find this documented somewhere (curious)?
,
Aug 9 2017
e.g. d8> -->blah!@#$%^&*()(*&^%$!#%&*((&*^%blah undefined
,
Aug 9 2017
,
Aug 9 2017
Still, the %0a--> is only good for a single line so you've got to have naturally occurring valid JS from the next line until the block closes, so its kind of a corner case.
,
Aug 9 2017
https://tc39.github.io/ecma262/#sec-html-like-comments shows this was introduced in ecma 2018.
,
Aug 9 2017
... and its in emca 2015 as well. http://www.ecma-international.org/ecma-262/6.0/#sec-html-like-comments
,
Aug 9 2017
It's the SingleLineHTMLCloseComment production in the linked grammar, which was already present in ES2015 (http://www.ecma-international.org/ecma-262/6.0/#sec-html-like-comments). V8 has a few bugs in this area: https://bugs.chromium.org/p/v8/issues/detail?id=6356
,
Aug 9 2017
,
Aug 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c953e74e29fbc0b3bdef53c09bff6f77b81d9492 commit c953e74e29fbc0b3bdef53c09bff6f77b81d9492 Author: Tom Sepez <tsepez@chromium.org> Date: Thu Aug 10 17:59:07 2017 XSSAuditor: HTML closing comment might be JS comment start x-->3 is x-- > 3, but \n-->3 is a comment. Bail on either. Bug: 753307 Change-Id: I2a27f4b5677b35cb1a1941a601d6661014033e69 Reviewed-on: https://chromium-review.googlesource.com/608747 Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org> Cr-Commit-Position: refs/heads/master@{#493457} [add] https://crrev.com/c953e74e29fbc0b3bdef53c09bff6f77b81d9492/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment6-expected.txt [add] https://crrev.com/c953e74e29fbc0b3bdef53c09bff6f77b81d9492/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment6.html [modify] https://crrev.com/c953e74e29fbc0b3bdef53c09bff6f77b81d9492/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp
,
Aug 10 2017
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by evn@google.com
, Aug 8 2017Components: -Blink Blink>SecurityFeature
Labels: -OS-Linux OS-All