Google Chrome 31.0 Webkit Auditor Bypass

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1044394 漏洞类型
发布时间 2013-09-25 更新时间 2013-09-25
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2013090173
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
# Title: Chrome 31.0 Webkit XSS Auditor Bypass
# Product: Google Chrome
# Author: Rafay Baloch @rafaybaloch And PEPE Vila


============
Description
============

Chrome XSS Auditor is a client side XSS filter used by google chrome
to protect against XSS attacks. Chrome XSS filter has already been beaten
a lot of times and there still exists lots of contexts where it fails.

============
Vulnerability
============

The vulnerability lies in the way people escape certain characters, while
replacing certain characters with characters
that would still yeild a valid javascript syntax. For instance, stripping
out Single quotes, Double quotes etc with - would yield a valid javascript
syntax and since the response won't match the output parameter.

================
Proof of concept
================

The following is a challenge setup by a gentle man with a nick "Strong boi":

http://12342.site11.com/level2.php

The expected solution was to use a well known unfixed bug in chrome and
using both parameters a and b to execute the javascript. However, we
noticed a different behaviour, when we injected an apostrophe. It was being
converted to - and hence yielding a valid syntax and executing the
javascript. So, this would work whenever the server side application
would try replacing special characters to - or anything similar that
would make the syntax valid.

http://12342.site11.com/level2.php?a=%22%3E%3Cscript%3E'alert(0);%3C/script%3E

Output Source:

First search:<input type="text" name="a"
value="<script>1-alert(0);</script>"/><br>