New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 96616 link

Starred by 4 users

Issue metadata

Status: WontFix
Owner:
Last visit > 30 days ago
Closed: Sep 2011
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug

Restricted
  • Only users with Commit permission may comment.



Sign in to add a comment

Security: Google Chrome Anti-XSS filter circumvention

Reported by nikifora...@gmail.com, Sep 14 2011

Issue description

VULNERABILITY DETAILS
Google Chrome's built-in anti-XSS filter fails to sanitize JavaScript present in a GET request when the script is broken-up into two, or more, GET parameters. 

E.g. : http://securitee.org/files/chrome_xss.php?a=<script>alert(1);/*&b=*/</script>

Due to the multi-line comment delimiters, any HTML, JavaScript and text present between the two parameters, will be treated as comments of the injected script.

VERSION
Chrome Version: 13.0.782.220 
Operating System: Windows 7

REPRODUCTION CASE
A demo PHP page that does not sanitize GET parameters and prints them out in its response is available at:
http://securitee.org/files/chrome_xss.php

Attached is a screenshot of the XSS bug in action

 
chrome_xss.png
149 KB View Download

Comment 1 by jsc...@chromium.org, Sep 14 2011

Status: WontFix
Tank yuo for your report, but the XSS auditor is not intended to prevent this case.

Comment 2 by abarth@chromium.org, Sep 16 2011

Labels: -Restrict-View-SecurityTeam -Pri-0 -Area-Undefined SecSeverity-None Pri-2 Area-WebKit
Owner: abarth@chromium.org
We don't know of a way to defend against cases where the attacker can inject the page in two places.
Hi,

I am under the impression that the way of bypassing the Anti-XSS that I submitted last September (discussed in this thread) is no longer working. It is definitely good news :) but I am a bit surprised since this was tagged as "WontFix". Has something changed?

Regards
Nick

Comment 4 by abarth@chromium.org, Jan 14 2012

You should still be able to exploit this vulnerability via another vector.  The problem is that the site allows injection in two places, which isn't something we can defend against (although it appears we do catch this particular way of exploiting this site).
Hi Adam,

Thank you for your reply. I have already found two other ways around the current filter using the way of splitting the script in two variables. If the anti-xss mechanism however, is not meant to cope with two parameters I guess they are of little value to you.

Best Regards
Nick
Project Member

Comment 6 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 7 by bugdroid1@chromium.org, Mar 10 2013

Labels: -SecSeverity-None -Type-Security -Area-WebKit Cr-Content Type-Bug-Security Security-Severity-None
Project Member

Comment 8 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-None Security_Severity-None
Project Member

Comment 9 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Labels: -Type-Bug-Security Type-Bug
Bulk unrestriction of Severity-none bugs.

Sign in to add a comment