[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAKhJGNZVUK=9qYRhgH0+gEga3+K8D=XKdrLoQNHxPQjEyizT0A@mail.gmail.com>
Date: Mon, 21 Jan 2013 16:32:11 +0100
From: Jakub Zoczek <zoczus@...il.com>
To: WHK Yan <yan.uniko.102@...il.com>
Cc: antrax.bt@...il.com, fdkaos2000@...oo.es, vuln@...unia.com,
submissions@...ketstormsecurity.com, submit@...ecurity.com,
full-disclosure@...ts.grok.org.uk, mr.inj3ct0r@...il.com,
vuldb@...urityfocus.com, el-brujo@...acker.net
Subject: Re: Google Chrome 24 Anti-XSS Filter Bypass
Hello,
Result of your php code is in 1 line. That's why your payload is parsed
correctly. On my test server, your test.php code returned two lines, and
browser gives me javascript parse error :) SO - if we have possibility to
create our full javascript payload without syntax problems by multiple
GET/POST variables - it seems to be working (same as most DOM-Based XSS) -
probably because of putting just part of the code to execute into variable
in request.
I also tried to search some method to bypass XSSAuditor - you can check
more details about method
here<http://zoczus.blogspot.com/2013/01/chrome-i-xssauditor.html>.
(in Polish).
Cheers!
JZ
On Mon, Jan 21, 2013 at 2:25 PM, WHK Yan <yan.uniko.102@...il.com> wrote:
> Sumary
> ----------
> A security flaw allows an attacker to execute XSS attacks evading the
> native filter AntiXSS.
>
> Details
> ---------
> A few days ago I found a way to circumvent the security system of the
> current latest version of Google Chrome that prevents XSS attack and I have
> left a temporary proof of concept here:
> http://ec2-50-16-152-72.compute-1.amazonaws.com/chrome-filterxss-bypass.php
>
> test.php
> <p> var1: <?php echo $ _GET ['var1'];?> </ p>
> <p> var2: <?php echo $ _GET ['var2'];?> </ p>
>
> Filter Works: test.php?var1=<script>alert(document.cookie);/*&var2=*/</
> script>
> Filter Bypass: test.php?var1=<script>alert(document.cookie);x='&var2=';</
> script>
>
> The problem is that Chrome does not remove everything that is in front of
> <script> allowing an attacker manage to obfuscate the code after the code
> is injected.
>
>
> http://trac.webkit.org/browser/trunk/Source/WebCore/html/parser/XSSAuditor.cpp?rev=119184#L91
> Only filter comments in script tag.
>
> To understand a little more of this we must first know that Google has
> provided a filter that prevents an attacker aprobecharse your browser, but
> ... How real is it in practice?
>
> Taking a look on the internet (
> https://www.google.cl/search?q=bypass%20chrome%20xss%20filter) I realized
> that over time there have been many ways to circumvent this security system
> and today is no exception, but end user then it really serves this added
> security system, the answer is NO and Microsoft knows very well also
> because since the release of Internet Explorer 8 have tried to create
> similar filters to prevent such attacks without positive results and that
> each security conference to be held somewhere in the world there is always
> someone who shows up with his new bypass your filter.
>
> But ... What is XSS? ...
> A technically XSS attack is when a web site prints everything that you
> send may inject malicious code can eg steal user sessions, etc. But even
> though this is purely because of a bad development WEB some companies opt
> for trying prevent such situations directly through their products
> (browsers).
>
> Was it reported?
> I did report waiting to give me something to google bounty program (
> http://www.chromium.org/Home/chromium-security/vulnerability-rewards-program) but was told that was not covered xD indeed said they had some things
> that if filtered and some not:
>
> https://code.google.com/p/chromium/issues/detail?id=171114
> > # 1 jsc ... @ chromium.org
> >
> > That is correct. The XSS auditor does not filter script Explicitly
> injection split across multiple variables. At some point we plan on
> posting a document explaining what the XSS auditor can and can not filter.
>
> Is it 100% effective?
> The answer is too light and is a resounding NO, is like the case of a
> virus, the same manufacturers say they can not ensure that detect more than
> 30% of all existing viruses, in the case of the filters you can ensure
> neither antixss nobody ever you can hack through an XSS filter is actually
> the factory and can not or do not want to delete, and will have to use it.
>
> What are the risks of using anti XSS filters?
> Some companies like Microsoft have had huge problems by imposing these
> filters to users because some attackers manage to make such a filter is
> placed against the same users can steal accounts websites have never had
> problems security such as universal XSS case of Internet Explorer (
> http://blackhat.com/html/bh-eu-10/bh-eu-10-briefings.html#Lindsay ). In
> other issues of standards and programming since in some cases they send
> some pages to a section where you send HTML content parameters and filters
> antixss the interrupt, which goes against the standard HTTP protocol
> because that's what URL encodings and proper web programming.
>
> Mozilla is very clear
> Today Mozilla Firefox does not use any filter antiXSS, why?, Because they
> have clear, use an anti xss only attracts more hackers and hackers to try
> to break those rules and effortlessly possible, try to impose filters is
> like trying to cover the sun with one finger, XSS flaws are not the fault
> of the explorers but developers of websites, for otherwise we often want to
> test or teach people about how to take care of codes such situations but it
> is only possible from mozilla firefox and others that do not include such a
> filter.
>
> From Mozilla Firefox recommend using NoScript addon (
> https://wiki.mozilla.org/Security/Features/XSS_Filter ) for people who
> really want a filter and not imposed. As always worrying about what we want
> and not of what we consume.
>
> (powered by Google Translator).
>
> Mirror
> --------
> http://whk.drawcoders.net/index.php/topic,2889.0.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists