[Webkit-unassigned] [Bug 66585] New: XSS Filter Bypass with long strings
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Aug 19 14:01:33 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=66585
Summary: XSS Filter Bypass with long strings
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Keywords: XSSAuditor
Severity: Normal
Priority: P2
Component: WebKit Misc.
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: abarth at webkit.org
CC: dbates at webkit.org
Depends on: 66580
http://code.google.com/p/chromium/issues/detail?id=76796
VULNERABILITY DETAILS
There is a way to bypass anti-XSS filter for DOM XSS exploiting a "window.location.href".
Considering a typical URL:
scheme://domain:port/path?query_string#fragment_id
Browsers encode correctly both "path" and "query_string", but not the "fragment_id".
Explorer does not encode neither "query_string".
So if used "fragment_id" the vector is also not logged on Web Server.
VERSION
Chrome Version: 10.0.648.134 (Official Build 77917) beta
REPRODUCTION CASE
This is an xss_location.html page:
[[
<script type="text/javascript" language="javascript">
document.write( window.location.href );
</script>
]]
The attack vector is:
xss_location.html?#<script>alert('XSS');</script>
* PoC:
For your convenience, a minimalist PoC is located on:
http://security.onofri.org/xss_location.html?#<script>alert('XSS');</script>
* References
- DOM Based Cross Site Scripting or XSS of the Third Kind - http://www.webappsec.org/projects/articles/071105.shtml
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list