Update: The bug has been reported to Google Chrome team already. The details can be found here: https://code.google.com/p/chromium/issues/detail?id=330972. The team was not able to recreate the issue in the test environment. I validated this issue on the Command and Control (C&C) panel of a botnet :) and I was not in a state to reveal the details of that panel. Anyways the bug is in Wont Fix state and Google Chrome is still vulnerable to these types of XSS bypasses.
Recently, I encountered an XSS auditor bypass in Google Chrome ( <= 32.0.1700.41 m Aura) while working on my research.
|Google Chrome Latest Version Tested !|
http://www.example.com/index.php?m=login which generates the form as follows:
For Injection, we crafted the URL as follows:
As a result, Google Chrome XSS auditor is bypassed.
Inference: Few ideas that should be taken into consideration:
1. The design of web applications impact the XSS auditor.
2. Instead of always targeting the HTTP parameters, play around with the URI structure also.
Note: Internet Explorer blocked this vector.
Additional Readings: Check out the inside details of Google Chrome XSS Auditor:
- XSS Auditor Source Code : https://code.google.com/p/webkit-mirror/source/browse/Source/WebCore/html/parser/XSSAuditor.cpp
- More about XSS Auditor Read here: http://www.collinjackson.com/research/xssauditor.pdf