[Webkit-unassigned] [Bug 27405] New: [XSSAuditor] URL encoded ampersand can be used to bypass XSSAuditor

Fri Jul 17 22:52:46 PDT 2009

https://bugs.webkit.org/show_bug.cgi?id=27405

           Summary: [XSSAuditor] URL encoded ampersand can be used to
                    bypass XSSAuditor
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
               URL: http://webblaze.org/dbates/xsstest.php?q=<a
                    href='about:blank' onclick=alert('%26q')>Test</a>
        OS/Version: All
            Status: NEW
          Keywords: XSSAuditor
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: dbates at berkeley.edu
                CC: sam at webkit.org, abarth at webkit.org

When decoding HTML entities (XSSAuditor::decodeHTMLEntities), the ampersand is
removed and the supposed entity is consumed. If the entity turns out to be
invalid, such as an unknown named entity, then a null-character is inserted
into the decoded result, which creates a discrepancy between the script code
and the HTTP parameters.

Consider:

Inline Event Handler:
http://webblaze.org/dbates/xsstest.php?q=%3Ca%20href='http://www.webblaze.org'%20onclick='alert(/%26XSS/)'%3EClick%3C/a%3E

JavaScript Link:
http://webblaze.org/dbates/xsstest.php?q=%3Ca%20href=javascript:alert(/%26XSS/)%3EClick%3C/a%3E

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.