[Webkit-unassigned] [Bug 68094] xssauditor - script block ending in comment can bypass auditor.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Sep 14 17:53:09 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=68094
--- Comment #2 from Thomas Sepez <tsepez at chromium.org> 2011-09-14 17:53:09 PST ---
Even worse case is when attacker controls two injections on the page, and can escape the intervening page content with /* in one injection and */ in the other. Not sure if we want to tackle this case [chromium bug http://code.google.com/p/chromium/issues/detail?id=96616 closed as wontfix for this case].
Consider a page
print '<img src="' . $q1 . '"><foo>bar<baz/><img src="' . $q2 . '">';
?q1="><script>/*&other=clutter&q2=bam*//**/alert(0)//foo%0a</script>
One rule I can think of that might catch this is something like this is:
- verify a <script> tag in the URL, else do nothing.
- without further decoding, parse the script block in the page, skipping over leading comments, and find the first actual code fragment, stopping at the next place a comment is introduced.
- reduce/canonicalize the fragment
- check if that fragment is present anywhere in the reduced/canonicalized URL.
so:
<img src=""><script>/*"><foo>bar<baz/><img src="bam*//**/alert(0)//foo
</script>
- verify <script> in URL.
- skip first comment /*"><foo>bar<baz/><img src="bam*/
- skip second comment /**/
- extract code fragment alert(0) up to next comment.
- decode and then find in URL.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list