Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Chrome (and Safari) antiXSS filter bypass

From: Pedro Worcel <pedro () worcel com>
Date: Thu, 23 Jan 2014 18:52:44 +1300
Hey,

I got a 403 while attempting to visit the URL.

Error 403 demofaast.elevenpaths.com <http://demofaast.elevenpaths.com:9002/>
Apache/2.4.4 (Win32) OpenSSL/0.9.8y PHP/5.4.19

Thanks,
Pedro


2014/1/22 vulns () 11paths com <vulns () 11paths com>


 Modern browsers usually have an antiXSS filter, that protects users from
some of the consequences of this kind of attacks. Normally, they block
cross site scripting execution, so the "injected" code (normally,
JavaScript or HTML) is not executed inside victim's browser. Chrome calls
this filter XSSAuditor.


But if the victim visits a website with an XSS problem that an attacker is
trying to take advantage of, it would not be fully protected. This  bug
is  based  on  a  misuse  of  srcdoc  attribute  of  IFRAME tag,  included
in  HTML5 definition.  To  perform an  XSS  attack  on Google  Chrome
Browser or Safari  using this  bug,  the website must  include an IFRAME
and must be able to read any attribute of this element from HTTP parameters
(GET/POST) without applying any charset filter. Then, in the IFRAME
parameter,  the  srcdoc  attribute  may be included with JavaScript
code. The browser cannot filter it and will be executed.


An HTML injection on src parameter would be:


iframe src=""srcdoc="<script>alert('Bypass message')</script>"


For a proof of concept, visit:



http://demofaast.elevenpaths.com:9002/xssbypass/iframebypass.php?iframe=%22srcdoc=%22%3Cscript%3Ealert('Bypass%20message')%3C/script%3E


The problem was reported in October, the 23rd. They fixed it two days
later, making XSSAuditor catch reflected srcdoc properties even without an
"IFRAME" tag injection. Chrome has just fixed it in recent 32.0.1700.76
version.


Safari for Mac and iPhone is vulnerable as well.



This weakness has been discovered by Ioseba Palop from Eleven Paths (
ioseba.palop () 11paths com). Full samples and detailed explanation here:
http://blog.elevenpaths.com/2014/01/how-to-bypass-antixss-filter-in-chrome.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





-- 
GPG: http://is.gd/droope <http://is.gd/signature_>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: