|
# Title: Chrome 31.0 Webkit XSS Auditor Bypass
# Product: Google Chrome
# Author: Rafay Baloch @rafaybaloch And PEPE Vila
# Company: Majorsecurity GMBH
# Website: Majorsecurity.com
============
Description
============
Chrome XSS Auditor is a client side XSS filter used by google chrome
to protect against XSS attacks. Chrome XSS filter has already been beaten
ltos of times, so we thought why don't we give a try.
============
Vulnerability
============
There is a certain criteria that needs to be met for this bypass, For this
bypass the server side filter should convert an aprostrophe ' to
dash -, which is a commonly known practice.
================
Proof of concept
================
The following is a challenge setup by a gentle man with a nick "Strong boi":
http://12342.site11.com/level2.php
The expected solution was to use a well known unfixed bug in chrome and
using both parameters a and b to execute the javascript. However, we
noticed a different behavior, when we injected an apostrophe. It was being
converted to - and hence yielding a valid syntax and executing the
javascript.
http://12342.site11.com/level2.php?a=%22%3E%3Cscript%3E'alert(0);%3C/script%3E
Output Source:
First search:<input type="text" name="a"
value="<script>1-alert(0);</script>"/><br>
|