XSSAuditor bypass assigning to innerHTML
Reported by
qusai.al...@gmail.com,
Sep 24
|
|||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 Steps to reproduce the problem: 1. create simple HTML file which upload txt file which include XSS vulnerability payload. 2. The payload is " --><!-- ---> <img src=xxx:x onerror=javascript:alert(/xss/)> --> " 3. What is the expected behavior? I expect the Chrome will block such request, but it allow the XSS to load. What went wrong? XSS pop up appear Did this work before? No Chrome version: 68.0.3440.106 Channel: n/a OS Version: 10.0 Flash Version: this should be audited by chrome and block such files, or script.
,
Sep 24
,
Sep 25
Hi Vamshi, What do you mean by Needs-Milestone.
,
Sep 25
Any update on this please ?
,
Sep 26
Able to reproduce the issue on the latest canary 71.0.3561.0 and stable 69.0.3497.100 on Windows-10,Mac OS 10.13.6 and Linux Debian Rodete. Same behavior is observed on older M-60(60.0.3112.20) as well. Marking this as Untriaged and requesting someone from the respective team for their inputs. Note: Seeing the xss pop up shown on other browsers Edge,Firefox as well.
,
Sep 27
I think this is by design, per the comment that we do not XSS filter innerHTML. That's the first time XSSAuditor would encounter this content. https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/html/parser/html_document_parser.cc?sq=package:chromium&g=0&l=658
,
Sep 27
hi, i read the link you sent, but what I think this is when upload a document which include xss payload, pop up appears specifically the one in the file which I sent, if the innerHTML has different XSS vector which is doesnt work with this, but this works.
,
Oct 1
Any update on this ?
,
Oct 1
Tom, can you triage this?
,
Oct 2
Hi Tom, I know you are busy, and sorry for keep on asking about an update ,
,
Oct 2
Hi, not busy, just out unexpectedly for a few days ... catching up.
,
Oct 2
,
Oct 2
,
Oct 2
This is a DOM-based XSS, since you are computing a string in JS, and not a reflected XSS. XSS auditor is only effective against reflective XSS, so the payload must be part of the URL or the POST body. Additionally, we don't apply the filter to "document fragments" eg. innerHTML for performance reasons, though we've thought about doing so in the past.
,
Oct 2
,
Oct 2
OTOH, x.innerHTML="<script>alert()</script>" doesn't execute, so I'm left wondering if there was some other work apart from XSSAuditor to deal with active assigment to innerHTML.
,
Oct 2
OTOOH, x.innerHTML="<img src=xxx:x onerror=javascript:alert(/xss/)>" does execute, even without the leading punctuation.
,
Oct 2
Thanks Tom for your replies , really appreciated, but why you tagged it as duplicate ?!!!
,
Oct 2
Because folks have been reporting innerHTML assignments as XSSAuditor bypasses since 2012.
,
Oct 2
Thanks Tom for clarification. So you accept as bug only the reflected XSS
,
Oct 2
Can I report reflected xss here , or as new bug !
,
Oct 2
File a new bug for a reflected XSS, if you've found one (the example in the original description is not a reflected XSS, as I've pointed out). You've got a different example, right?
,
Oct 2
Yes different one |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by tkent@chromium.org
, Sep 24