Google Chrome 31.0 Webkit Auditor Bypass

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1044394 漏洞类型
发布时间 2013-09-25 更新时间 2013-09-25
漏洞平台 N/A CVSS评分 N/A
# Title: Chrome 31.0 Webkit XSS Auditor Bypass
# Product: Google Chrome
# Author: Rafay Baloch @rafaybaloch And PEPE Vila


Chrome XSS Auditor is a client side XSS filter used by google chrome
to protect against XSS attacks. Chrome XSS filter has already been beaten
a lot of times and there still exists lots of contexts where it fails.


The vulnerability lies in the way people escape certain characters, while
replacing certain characters with characters
that would still yeild a valid javascript syntax. For instance, stripping
out Single quotes, Double quotes etc with - would yield a valid javascript
syntax and since the response won't match the output parameter.

Proof of concept

The following is a challenge setup by a gentle man with a nick "Strong boi":

The expected solution was to use a well known unfixed bug in chrome and
using both parameters a and b to execute the javascript. However, we
noticed a different behaviour, when we injected an apostrophe. It was being
converted to - and hence yielding a valid syntax and executing the
javascript. So, this would work whenever the server side application
would try replacing special characters to - or anything similar that
would make the syntax valid.'alert(0);%3C/script%3E

Output Source:

First search:<input type="text" name="a"