[Webkit-unassigned] [Bug 30242] [XSSAuditor] IFrame JavaScript URLs that are URL-encoded twice can by bypass the XSSAuditor

Thu Oct 8 17:24:31 PDT 2009

https://bugs.webkit.org/show_bug.cgi?id=30242


--- Comment #1 from Daniel Bates <dbates at webkit.org>  2009-10-08 17:24:31 PDT ---
#____ should be #30241
(In reply to comment #0)
> JavaScript URLs are inconsistently encoded/decoded before they are passed to
> the XSSAuditor. Bug #29523 tried to address this by having the non-decoded
> JavaScript URL passed to the XSSAuditor, but upon further investigation this
> URL is still in an encoded form to bug #____.
> 
> For example:
> <iframe src="javascript: %250Aalert(/XSS/)"></iframe>
> 
> Note, the presence and position of the space character is critical in this
> example because of the "fix" introduced as part of bug #29523. Also, when url
> decoded "%25" is the '%' character.
> 
> And consider this as part of a URL (*),
> http://good.webblaze.org/dbates/xsstest.php?q=<iframe src="javascript:
> %250Aalert(/XSS/)"></iframe>
> 
> The XSSAuditor::canEvaluateJavaScriptURL(const String& code) is passed code =
> "%20%0Aalert(/XSS/)" (**).
> Looking at the source code part of the JavaScript URL portion of the page URL
> (*) as decoded by XSSAuditor::findInRequest, we have: "%0Aalert(/XSS/)".
> (Actually, we also remove the character '0' as part of removing strings of the
> form "\0"  that can arise in PHP Magic Quoted code. So, the final decoded page
> URL used when comparing (**) is: "%Aalert(/XSS)")
> 
> A variant of this example can contain a single-line JavaScript comment:
> <iframe src="javascript: //%250Aalert(/XSS/)"></iframe>
> http://good.webblaze.org/dbates/xsstest.php?q=%3Ciframe%20src=%22javascript:%20//%250Aalert(/XSS/)%22%3E%3C/iframe%3E

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.