[Webkit-unassigned] [Bug 29278] XSSAuditor bypasses from sla.ckers.org

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Sep 15 15:06:12 PDT 2009


--- Comment #1 from Daniel Bates <dbates at webkit.org>  2009-09-15 15:06:11 PDT ---
The second attack is blocked with r46250 with proposed patch 1 of bug #27895

(*)This is my working copy on one of my machines. I will look into doing a
clean checkout to confirm.

(In reply to comment #0)
> The good folks at sla.ckers.org are pouring over the XSSAuditor in this thread:
> http://sla.ckers.org/forum/read.php?13,31377
> So far, they've found two bypasses:
> http://eaea.sirdarckcat.net/xss.php?html_xss=<iframe+src="javascript:'1%25251';alert(document.domain)">
> http://eaea.sirdarckcat.net/xss.php?html_xss=<img%20src=ä%20onerror=alert('ä')>
> The first one is a nice double-encoding issue.  I think we're only decoding
> once.  I don't quite understand the second one yet.  Something tricky with
> unicode.
> Feel free to create spin-off bugs for fixing each issue.  I just wanted a
> central place to write them down for now.

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list