[Webkit-unassigned] [Bug 29278] XSSAuditor bypasses from sla.ckers.org

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Sep 15 18:21:03 PDT 2009 

https://bugs.webkit.org/show_bug.cgi?id=29278





--- Comment #4 from Daniel Bates <dbates at webkit.org>  2009-09-15 18:21:02 PDT ---
Created an attachment (id=39628)
 --> (https://bugs.webkit.org/attachment.cgi?id=39628)
temp. workaround with test case for IFrame JavaScript URL issue

For the IFrame JavaScript URL example:

Notice the source code portion of the JavaScript URL is URL decoded on line 745
(*) of FrameLoader.cpp
<http://trac.webkit.org/browser/trunk/WebCore/loader/FrameLoader.cpp#L745>
before it is passed to FrameLoader::executeScript which eventually passes it to
the XSSAuditor.

Consider the example URL:
http://eaea.sirdarckcat.net/xss.php?html_xss=<iframe+src="javascript:'1%25251';alert(document.domain)">
which echos in the HTTP response the string <iframe
src="javascript:'1%251';alert(document.domain)">. Looking at the source code
portion of the JavaScript URL: '1%251';alert(document.domain) and applying (*),
we see that |script| is set to the string "'1%1';alert(document.domain)".

The XSSAuditor compares this to the URL-decoded URL of the page
<http://trac.webkit.org/browser/trunk/WebCore/page/XSSAuditor.cpp#L274>, which
is:
http://eaea.sirdarckcat.net/xss.php?html_xss=<iframe+src="javascript:'1%251';alert(document.domain)">.

Another issue, since the FrameLoader reuses the same pipeline for JavaScript
URLs as JavaScript scripts, we are losing information on the origin of the
script code (that is, was it extracted from a JavaScript URL or an inline
JavaScript script).

The workaround calls the XSSAuditor::canEvaluateJavaScriptURL on the string
source code portion of the JavaScript URL (i.e.
url.string().substring(javascriptSchemeLength)) before it is decoded. So,
XSSAuditor will be comparing "'1%251';alert(document.domain)" to
http://eaea.sirdarckcat.net/xss.php?html_xss=<iframe+src="javascript:'1%251';alert(document.domain)">.

I am not happy with this workaround, because it calls the XSSAuditor twice (via
XSSAuditor::canEvaluateJavaScriptURL and via FrameLoader::executeScript) and I
have not fully vented it to my satisfaction.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list