Chrome XSS protection Bypass
Reported by
milany...@gmail.com,
Nov 22 2017
|
|||||||
Issue descriptionChrome is very smart when it comes to detecting XSS and any malicious scripts. However, after an intensive amount of testing, I have found a way to bypass it and load malicious content and scripts. The filter was able to detect all of the scripts even the encrypted once and normal ones such as <iframe%20width="560"%20height="315"%20src="https://www.youtube.com/embed/hh9x4NqW0Dw"%20frameborder="0"%20allowfullscreen></iframe>. Moreover, after loading this script <%2Fscript>%20<img%20src="https://ubistatic19-a.akamaihd.net/resource/en-GB/game/watchdogs/watchdogs/Tumbrl-roundup-header2_1920x1080_EMEA_259557.jpg"%20alt="Smiley%20face"%20border="300">%20<script> I was able to bypass the protection and chrome could not detect my script and I was able to retrieve dangerous files. The video attached show proof of concept of a vulnerable website that I have created and did the testing to illustrate the problem. I hope this findings improve the AI detection to protect people from those type of dangerous scripts
,
Nov 22 2017
This POC injects an image element into the victim webpage, but does not show the execution of any script in the victim domain. Do you have a proof-of-concept that executes JavaScript in the victim domain?
,
Nov 22 2017
In particluar, when reporting XSS bypasses, we always want to know two exact pieces of information: 1. The exact URL used to retrieve the page 2. The exact reflection in the page text (as shown by e.g. view source) Having said that, the filter does not remove image injections. If you can execute javascript, typically something like alert(document.domain) then feel free to re-open the bug. |
|||||||
►
Sign in to add a comment |
|||||||
![https://ubistatic19-a.akamaihd.net/resource/en-GB/game/watchdogs/watchdogs/Tumbrl-roundup-header2_1920x1080_EMEA_259557.jpg"%20alt="Smiley%20face"%20border="300">%20](https://ubistatic19-a.akamaihd.net/resource/en-GB/game/watchdogs/watchdogs/Tumbrl-roundup-header2_1920x1080_EMEA_259557.jpg"%20alt="Smiley%20face"%20border="300">%20){kind=link}
Comment 1 by elawrence@chromium.org
, Nov 22 2017Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug