<html><head></head><body bgcolor="#FFFFFF"><div></div><div>[ If this is not the right forum for the following question, please let me know ]</div><div><br></div><div><br></div><div>Hello,<br><span></span><br><span>I am new to the list and am looking for advice on something I observed</span><br><span>during a recent engagement. The issue mostly looks like a potential</span><br><span>XSSAuditor bypass but I am unsure if the behavior is by design or is</span><br><span>actually a bug.</span><br><span></span><br><span>To start with, here is the scenario:</span><br><span></span><br><span>1. Chrome sends an HTTP POST request with user provided input, the</span><br><span>input is a simple XSS string as shown in the request log below:</span><br><span></span><br><span>-- sample request --</span><br><span></span><br><span>POST /filter_params HTTP/1.1</span><br><span>Host: xx.xx.xx.xx</span><br><span>Connection: keep-alive</span><br><span>Content-Length: 589</span><br><span>Origin: <a href="https://xx.xx.xx.xx/" x-apple-data-detectors="true" x-apple-data-detectors-result="0">https://xx.xx.xx.xx</a></span><br><span>X-Prototype-Version: 1.6.0.3</span><br><span>X-Requested-With: XMLHttpRequest</span><br><span>User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/</span><br><span>535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11</span><br><span>Content-type: application/x-www-form-urlencoded; charset=UTF-8</span><br><span>Accept: text/javascript, text/html, application/xml, text/xml, */*</span><br><span>Referer: <a href="https://xx.xx.xx.xx/tools/1" x-apple-data-detectors="true" x-apple-data-detectors-result="2">https://xx.xx.xx.xx/tools/1</a></span><br><span>Accept-Encoding: gzip,deflate,sdch</span><br><span>Accept-Language: en-US,en;q=0.8</span><br><span>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3</span><br><span>Cookie: user_credentials=abcd</span><br><span></span><br><span>filter_params=&filter_params_set_name=%3Cscript%3Ealert(566656)%3C</span><br><span>%2Fscript%3E&filter_params_ngrams=&commit=Submit&filter%5Bname%5D=</span><br><span>%3Cscript%3Ealert(566656)%3C%2Fscript%3E&_=</span><br><span></span><br><span>2. The server responds with HTTP 200 OK. The response is as shown</span><br><span>below:</span><br><span></span><br><span>-- sample response --</span><br><span></span><br><span>HTTP/1.1 200 OK</span><br><span>Content-Type: text/javascript; charset=utf-8</span><br><span>Connection: keep-alive</span><br><span>Status: 200</span><br><span>X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.7</span><br><span>X-Runtime: 81</span><br><span>Content-Length: 420</span><br><span>Cache-Control: private, max-age=0, must-revalidate</span><br><span>Server: nginx/1.0.0 + Phusion Passenger 3.0.7 (mod_rails/mod_rack)</span><br><span></span><br><span>var opt = document.createElement('option'); opt.text =</span><br><span>'<script>alert(566656)</script>'; opt.value = '435'; opt.selected =</span><br><span>true; $('filter_params').options.add(opt)</span><br><span>$('scenarios_container').insert('<span id="435"><script>alert(566656)</</span><br><span>script><small class="edits">o</small><small class="closes">x</small></</span><br><span>span>')</span><br><span>$('new_filter_params').hide()</span><br><span>$('filter_params_set_name').value = ''; $</span><br><span>('filter_params_ngrams').value = ''</span><br><span></span><br><span>3. The result is a prompt with 566656. The above code is supposed to</span><br><span>dynamically populate a drop-down list with options provided by the end</span><br><span>user.</span><br><span></span><br><span>XSSAuditor is enabled at this point so my am wondering if the</span><br><span>JavaScript code in the response is not filtered because it is part of</span><br><span>a script and not a normal HTML response body?</span><br><span></span><br><span>Any insight or reasoning for this behavior is appreciated :)</span><br><span></span><br><span>Thanks</span><br>Prasad<br><br>Thank you,<div>Prasad N. Shenoy</div></div></body></html>