Issue metadata
Sign in to add a comment
|
Self Xss using onclick
Reported by
rooterka...@gmail.com,
Sep 7 2017
|
||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Steps to reproduce the problem: 1. save the below poc as a onclick.html 2. open in new tab 3. click on link it will pop up self xss What is the expected behavior? it should prevent alert box What went wrong? It pop up alert box Did this work before? N/A Chrome version: 60.0.3112.113 Channel: n/a OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: Shockwave Flash 26.0 r0 I am not sure how legit it is but do let me know if its invalid.
,
Sep 7 2017
Ohh okay, Thanks for quick response Just out of curiosity if i am able to drop this text to address bar and if it popup then will it be issue? I am noob in this field sorry for lame queries
,
Sep 7 2017
I wrote about socially-engineered XSS attacks here: https://blogs.msdn.microsoft.com/ieinternals/2011/05/19/socially-engineered-xss-attacks/ Within Chrome, dragging a JavaScript URL to the omnibox or copy/pasting one should result in the "JavaScript:" prefix being dropped from the string. If the user manually types a JavaScript URL, this is permitted: https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Does-entering-JavaScript_URLs-in-the-URL-bar-or-running-script-in-the-developer-tools-mean-there_s-an-XSS-vulnerability
,
Dec 15 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Sep 7 2017Yes, with full control of the markup of the page, you can easily respond to DOM events using JavaScript. Instead of the rather complicated code you've provided, you could just as easily write: <a onclick="alert('self-XSS');">CLICK ME</a>