# Title: Chrome 31.0 Webkit XSS Auditor Bypass
# Product: Google Chrome
# Author: Rafay Baloch @rafaybaloch And PEPE Vila
# Company: Majorsecurity GMBH
# Website: Majorsecurity.com

============
Description
============

Chrome XSS Auditor is a client side XSS filter used by google chrome
to protect against XSS attacks. Chrome XSS filter has already been beaten
ltos of times, so we thought why don't we give a try.

============
Vulnerability
============

There is a certain criteria that needs to be met for this bypass, For this
bypass the server side filter should convert an aprostrophe ' to
dash -, which is a commonly known practice.

================
Proof of concept
================

The following is a challenge setup by a gentle man with a nick "Strong boi":

http://12342.site11.com/level2.php

The expected solution was to use a well known unfixed bug in chrome and
using both parameters a and b to execute the javascript. However, we
noticed a different behavior, when we injected an apostrophe. It was being
converted to - and hence yielding a valid syntax and executing the
javascript.


http://12342.site11.com/level2.php?a=%22%3E%3Cscript%3E'alert(0);%3C/script%3E

Output Source:

First search:<input type="text" name="a"
value="<script>1-alert(0);</script>"/><br>