New issue
Advanced search Search tips

Issue 795379 link

Starred by 2 users
Status: WontFix
Owner:
tsepez@chromium.org
Closed: Dec 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Bug



Sign in to add a comment

bypass anti xss

Reported by lacroute...@gmail.com, Dec 15 2017 
UserAgent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

Steps to reproduce the problem:
with this url

with firefox
https://www.boktipset.se/search/search.cgi?image=&search=%27%22%2F%3E%3Cscript%3Ealert(/OPENBUGBOUNTY/)%3B%3C%2Fscript%3E

chromium anti xss rules
it is bypassed

What is the expected behavior?
bypass rules anti xss

What went wrong?
bypass anti xss rules

Did this work before? N/A 

Chrome version: chromium --version Chromium 62.0.3202.89 built on Debian buster/sid, running on Debian kali-rolling  Channel: n/a
OS Version: kali rolling up to date
Flash Version: 

bypass anti xss rules
Capture du 2017-12-15 21-21-59.png
47.7 KB View Download

Comment 1 by dtapu...@chromium.org, Dec 15 2017

Components: Blink>SecurityFeature

Comment 2 by elawrence@chromium.org, Dec 15 2017

Components: -Blink>SecurityFeature Blink>SecurityFeature>XSSAuditor
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam OS-Android OS-Chrome OS-Mac OS-Windows Type-Bug
XSS Auditor bypasses are considered functional issues, not security bugs.
https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Are-XSS-filter-bypasses-considered-security-bugs-

Comment 3 by elawrence@chromium.org, Dec 15 2017 

FWIW, I get the XSS Auditor blocking page when loading this URL in Chrome 63 to Chrome 65.

Comment 4 by lacroute...@gmail.com, Dec 16 2017 


in need to inject the xss with firefox with this url
https://www.boktipset.se/search/search.cgi?image=&search=%27%22%2F%3E%3Cscript%3Ealert(/OPENBUGBOUNTY/)%3B%3C%2Fscript%3E

and test the main url of the website with chromium
https://www.boktipset.se/

popup present with my webphone android
with up to date chromium version

Comment 5 by lacroute...@gmail.com, Dec 16 2017 

sceen shot poc with my android
xssandroid.png
35.4 KB View Download

Comment 6 by jochen@chromium.org, Dec 18 2017

Owner: tsepez@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 7 by lacroute...@gmail.com, Dec 18 2017 

the xss is not really a stored xss the website saves the search history during may time it is enough to relaunch the search a dozen times to remove the xss

Comment 8 by elawrence@chromium.org, Dec 18 2017

Status: WontFix (was: Assigned)
Oh, I see what you're saying. You've found a stored XSS attack on the victim domain. You cannot exploit reflected XSS in Chrome, but if you plant the exploit via Firefox, the stored XSS executes in Chrome.

Yes, this is working as expected. XSS Auditor/Filters cannot protect against stored XSS.

Have you reached out to the buggy website?

Comment 9 by lacroute...@gmail.com, Dec 18 2017 

yes I contacted the webmaster of the website in question explaining his problem

Sign in to add a comment