[Webkit-unassigned] [Bug 29278] New: XSSAuditor bypasses from sla.ckers.org

Tue Sep 15 13:33:05 PDT 2009

https://bugs.webkit.org/show_bug.cgi?id=29278

           Summary: XSSAuditor bypasses from sla.ckers.org
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
               URL: http://sla.ckers.org/forum/read.php?13,31377
        OS/Version: All
            Status: NEW
          Keywords: XSSAuditor
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: abarth at webkit.org
                CC: sam at webkit.org, dbates at webkit.org

The good folks at sla.ckers.org are pouring over the XSSAuditor in this thread:

http://sla.ckers.org/forum/read.php?13,31377

So far, they've found two bypasses:

http://eaea.sirdarckcat.net/xss.php?html_xss=<iframe+src="javascript:'1%25251';alert(document.domain)">
http://eaea.sirdarckcat.net/xss.php?html_xss=<img%20src=ä%20onerror=alert('ä')>

The first one is a nice double-encoding issue.  I think we're only decoding
once.  I don't quite understand the second one yet.  Something tricky with
unicode.

Feel free to create spin-off bugs for fixing each issue.  I just wanted a
central place to write them down for now.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.