[Webkit-unassigned] [Bug 29278] New: XSSAuditor bypasses from sla.ckers.org
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Sep 15 13:33:05 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=29278
Summary: XSSAuditor bypasses from sla.ckers.org
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
URL: http://sla.ckers.org/forum/read.php?13,31377
OS/Version: All
Status: NEW
Keywords: XSSAuditor
Severity: Normal
Priority: P2
Component: WebCore Misc.
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: abarth at webkit.org
CC: sam at webkit.org, dbates at webkit.org
The good folks at sla.ckers.org are pouring over the XSSAuditor in this thread:
http://sla.ckers.org/forum/read.php?13,31377
So far, they've found two bypasses:
http://eaea.sirdarckcat.net/xss.php?html_xss=<iframe+src="javascript:'1%25251';alert(document.domain)">
http://eaea.sirdarckcat.net/xss.php?html_xss=<img%20src=ä%20onerror=alert('ä')>
The first one is a nice double-encoding issue. I think we're only decoding
once. I don't quite understand the second one yet. Something tricky with
unicode.
Feel free to create spin-off bugs for fixing each issue. I just wanted a
central place to write them down for now.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list