[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Chrome 11 Anti-XSS ByPass

To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Chrome 11 Anti-XSS ByPass
From: Manuel Fernández Fernández <mfernandez@xxxxxxxxxxxxxxxxx>
Date: Wed, 25 May 2011 17:50:34 +0200

Hello,

During the creation of a hacking challenge about XSS we had to figure out how 
to bypass the new AntiXSS filter in Google Chrome. It was included in the 
latest release and we were in the middle of a hacking challenge about XSS and 
Sesion Fixation. We were thinking about to change the rules of the game, but, 
we managed to bypass the filter in an easy way, so we didn´t change it and 
players were also able to discover it. This is the "how":

When a string that can execute any kind of javascript which it is injected, 
like could be <img src=”noexist” onerror=”alert();”/>, Google Chrome fix the 
source code in runtime, replacing the original string by the following, <img 
src="noexist" onerror="">, so the injected javascript code is missed and it’s 
not possible to execute any attack.

Chrome also has a function to fix or rewrite HTML source code that isn’t 
well-formed. If a website that contains a tag like ‘’, it will try to rewrite 
the source code to construct a proper HTML code. For example, if we introduce a 
string like <img src="noexist" onerror=alert, Chrome will try to close the img 
tag with the following closing tag, in this case <html>.
<img src="noexist" onerror="alert!!!</html">

It can give to an attacker a vector to bypass the Anti-XSS filter, due to it 
applies first the filter and then checks whether the HTML code is well-formed 
or not, modifying it if needed..

So, it’s possible to create a non-well-formed tag, that after being rewritten, 
it will be a properly XSS.
An example of it may be this one: <img src="noexist" onerror=alert();//, due 
that it would be rewrote as <img src="noexist" 
onerror="alert();//!!!&lt;/html">, bypassing the AntiXSS filter.

Best Regards,

Manu "The Sur" and Rodolfo Bordon from Informatica64.com

Manuel Fernández
Informática 64
Dep. Desarrollo y Seguridad
C/ Juan Ramón Jiménez, 8 Bajo Post. Local
28932 Móstoles - Madrid
Telf. 91 146 20 00 – Fax: 91 146 20 03
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [ MDVSA-2011:101 ] dovecot
Next by Date: [Full-disclosure] The Case of the Great Router Robbery
Previous by thread: [Full-disclosure] [ MDVSA-2011:101 ] dovecot
Next by thread: [Full-disclosure] The Case of the Great Router Robbery
Index(es):
- Date
- Thread