New issue
Advanced search Search tips

Issue 793037 link

Starred by 2 users
Status: Duplicate
Merged: issue 81697
Owner: ----
Closed: Dec 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: XSS by typing JavaScript into the address box

Reported by kunal...@gmail.com, Dec 7 2017 
Hello Chrome Security Team,

Today I want to report a vulnerability in javascript injection which might be vulnerable to display Cookie or Simply XSS by just using javascript in url.

So, We know that 
<script>alert(document.cookie)</script> or other payloads doesn't display any cookie in the popup,rather it's going to display Blank popup.
So chrome XSS prevention system always prevent to display cookies from domain.

But there is a way,which I can successfully display cookies from any domains.

Step to reproduce the vulnerability

1)Visit website like google,gmail or any page.

2)After visiting,just remove all the URL address and type javascript:alert(document.cookie) or you can type javascript:confirm(document.cookie).

3)It's going to popup with cookie values from the domain.

Now,if a person is already logged in Chrome,just type javascript:alert(document.cookie) or javascript:confirm(document.cookie) in chrome main page and Page will popup with Cookie values of Google account.

Please patch it as early as possible in chrome.

"Cookies are always the main concern."

With Regards

Kunal Pandey

Attaching With POC.rar file 

 (Operating System- Windows 8.1 64 bit

Chrome Version 63.0.3239.84 (Official Build) (64-bit) )
Chromebug.rar
673 KB Download

Comment 1 by elawrence@chromium.org, Dec 7 2017

Components: UI>Browser>Omnibox
Status: WontFix (was: Unconfirmed)
Summary: Security: XSS by typing JavaScript into the address box (was: Security: XSS with cookies displaying)
The ability of the user to execute JavaScript by typing it into the address box or developer tools is "Working as Designed".

https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Does-entering-JavaScript_URLs-in-the-URL-bar-or-running-script-in-the-developer-tools-mean-there_s-an-XSS-vulnerability

>We know that  <script>alert(document.cookie)</script> or other payloads
>doesn't display any cookie in the popup,rather it's going to display Blank
>popup.

That is incorrect. The script provided will show the cookies of the current document, unless those cookies happen to be marked with the HTTPOnly attribute.

Comment 2 by elawrence@chromium.org, Feb 22 2018

Mergedinto: 81697
Status: Duplicate (was: WontFix)
Project Member

Comment 3 by sheriffbot@chromium.org, Mar 16 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment