[Webkit-unassigned] [Bug 30242] New: [XSSAuditor] IFrame JavaScript URLs that are URL-encoded twice can by bypass the XSSAuditor

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Oct 8 17:13:50 PDT 2009 

https://bugs.webkit.org/show_bug.cgi?id=30242

           Summary: [XSSAuditor] IFrame JavaScript URLs that are
                    URL-encoded twice can by bypass the XSSAuditor
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
               URL: http://good.webblaze.org/dbates/xsstest.php?q=%3Cifram
                    e%20src=%22javascript:%20%250Aalert(/XSS/)%22%3E%3C/if
                    rame%3E
        OS/Version: Mac OS X 10.5
            Status: NEW
          Keywords: XSSAuditor
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: dbates at webkit.org
                CC: sam at webkit.org, abarth at webkit.org
        Depends on: 30241


JavaScript URLs are inconsistently encoded/decoded before they are passed to
the XSSAuditor. Bug #29523 tried to address this by having the non-decoded
JavaScript URL passed to the XSSAuditor, but upon further investigation this
URL is still in an encoded form to bug #____.

For example:
<iframe src="javascript: %250Aalert(/XSS/)"></iframe>

Note, the presence and position of the space character is critical in this
example because of the "fix" introduced as part of bug #29523. Also, when url
decoded "%25" is the '%' character.

And consider this as part of a URL (*),
http://good.webblaze.org/dbates/xsstest.php?q=<iframe src="javascript:
%250Aalert(/XSS/)"></iframe>

The XSSAuditor::canEvaluateJavaScriptURL(const String& code) is passed code =
"%20%0Aalert(/XSS/)" (**).
Looking at the source code part of the JavaScript URL portion of the page URL
(*) as decoded by XSSAuditor::findInRequest, we have: "%0Aalert(/XSS/)".
(Actually, we also remove the character '0' as part of removing strings of the
form "\0"  that can arise in PHP Magic Quoted code. So, the final decoded page
URL used when comparing (**) is: "%Aalert(/XSS)")

A variant of this example can contain a single-line JavaScript comment:
<iframe src="javascript: //%250Aalert(/XSS/)"></iframe>
http://good.webblaze.org/dbates/xsstest.php?q=%3Ciframe%20src=%22javascript:%20//%250Aalert(/XSS/)%22%3E%3C/iframe%3E

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list