[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Chrome (and Safari) antiXSS filter bypass

To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Chrome (and Safari) antiXSS filter bypass
From: "vulns@xxxxxxxxxxx" <vulns@xxxxxxxxxxx>
Date: Wed, 22 Jan 2014 06:55:57 +0000

Modern browsers usually have an antiXSS filter, that protects users from some
of the consequences of this kind of attacks. Normally, they block cross site
scripting execution, so the "injected" code (normally, JavaScript or HTML) is
not executed inside victim's browser. Chrome calls this filter XSSAuditor.

But if the victim visits a website with an XSS problem that an attacker is
trying to take advantage of, it would not be fully protected. This bug is
based on a misuse of srcdoc attribute of IFRAME tag, included in
HTML5 definition. To perform an XSS attack on Google Chrome Browser or
Safari using this bug, the website must include an IFRAME and must be able
to read any attribute of this element from HTTP parameters (GET/POST) without
applying any charset filter. Then, in the IFRAME parameter, the srcdoc
attribute may be included with JavaScript code. The browser cannot filter it
and will be executed.

An HTML injection on src parameter would be:

iframe src=""srcdoc="<script>alert('Bypass message')</script>"

For a proof of concept, visit:

http://demofaast.elevenpaths.com:9002/xssbypass/iframebypass.php?iframe=%22srcdoc=%22%3Cscript%3Ealert('Bypass%20message')%3C/script%3E

The problem was reported in October, the 23rd. They fixed it two days later,
making XSSAuditor catch reflected srcdoc properties even without an "IFRAME"
tag injection. Chrome has just fixed it in recent 32.0.1700.76 version.

Safari for Mac and iPhone is vulnerable as well.

This weakness has been discovered by Ioseba Palop from Eleven Paths
(ioseba.palop@xxxxxxxxxxx<mailto:ioseba.palop@xxxxxxxxxxx>). Full samples and
detailed explanation here:
http://blog.elevenpaths.com/2014/01/how-to-bypass-antixss-filter-in-chrome.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Chrome (and Safari) antiXSS filter bypass
  - From: Pedro Worcel

Prev by Date: [Full-disclosure] [CVE-2013-6040] MW6 Technologies ActiveX buffer overflows and remote code execution
Next by Date: [Full-disclosure] Capstone 2.0 is released!
Previous by thread: [Full-disclosure] [CVE-2013-6040] MW6 Technologies ActiveX buffer overflows and remote code execution
Next by thread: Re: [Full-disclosure] Chrome (and Safari) antiXSS filter bypass
Index(es):
- Date
- Thread