New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 798949 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Jan 2018
Cc:
sc00335...@techmahindra.com
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

bug in chrome allows user to execute xss through 'href=' and empty tab (about:blank)

Reported by elber.pa...@gmail.com, Jan 4 2018 
Chrome Version       : 63.0.3239.84
Other browsers tested: Chromium
  Add OK or FAIL, along with the version, after other browsers where you
have tested this issue:
     Safari: FAIL
    Firefox: FAIL
       Edge: FAIL


What steps will reproduce the problem?
(1) paste the payload in the href tag
Payload: "test.:@javascript:alert('xss')"
(2) OPEN VIEW-SOURCE AND CLICK IN THE LINK
(3) enter on url

PoC:



What is the expected result?
alert xss on screen

<a href="test.:@javascript:alert('xss')">XSS</a>


Please provide any additional information below. Attach a screenshot if
possible.
chrome.png
8.8 KB View Download
chrome_xss.mp4
1.9 MB View Download
xss2.png
15.4 KB View Download
xss.png
17.5 KB View Download

Comment 1 by elber.pa...@gmail.com, Jan 4 2018

poc.html
56 bytes View Download

Comment 2 by krajshree@chromium.org, Jan 4 2018

Labels: Needs-Triage-M63

Comment 3 by sc00335...@techmahindra.com, Jan 17 2018

Cc: sc00335...@techmahindra.com
Labels: Triaged-ET Needs-Feedback
elber.parelhas@ Thanks for the issue.

Tested this issue on Windows 10 and Mac OS 10.12.6 on the latest Stable 63.0.3239.132 and Canary 65.0.3323.0 and on the reported version 63.0.3239.84 by following the below steps.

1. Launched Chrome and opened the given Html file.
2. Right clicked and clicked on the View page source option.
3. Clicked on "test.:@javascript:alert('xss')" link which opened a new tab having javascript:alert('xss') in omnibox.
4. Selected javascript:alert('xss') in the omnibox and hit the Enter key.
Can observe that an alert XSS is popped up on the screen and about:blank is seen in the omnibox.
Attached is the screen cast for reference.

Request you to please check and confirm if anything is missed from our end in triaging the issue.

Thanks..
798949.webm
1.4 MB View Download

Comment 4 by elber.pa...@gmail.com, Jan 17 2018 

ALL OK, anything is missed.
Project Member

Comment 5 by sheriffbot@chromium.org, Jan 17 2018

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "sc00335628@techmahindra.com" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by sc00335...@techmahindra.com, Jan 18 2018

Labels: Needs-Feedback
Thanks for responding!!

@Reporter: Can you please confirm whether we can close this issue?

Comment 7 by elber.pa...@gmail.com, Jan 18 2018 

All right, thanks.
Project Member

Comment 8 by sheriffbot@chromium.org, Jan 18 2018

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "sc00335628@techmahindra.com" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by sc00335...@techmahindra.com, Jan 19 2018

Status: WontFix (was: Unconfirmed)
As per comment#7 closing this issue as Wont-fix. Please feel free to open a new bug if issue is still seen.

Thanks!

Sign in to add a comment