lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 22 Jan 2014 06:55:57 +0000
From: "vulns@...aths.com" <vulns@...aths.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Chrome (and Safari) antiXSS filter bypass

Modern browsers usually have an antiXSS filter, that protects users from some of the consequences of this kind of attacks. Normally, they block cross site scripting execution, so the "injected" code (normally, JavaScript or HTML) is not executed inside victim's browser. Chrome calls this filter XSSAuditor.

But if the victim visits a website with an XSS problem that an attacker is trying to take advantage of, it would not be fully protected. This  bug  is  based  on  a  misuse  of  srcdoc  attribute  of  IFRAME tag,  included  in  HTML5 definition.  To  perform an  XSS  attack  on Google  Chrome  Browser or Safari  using this  bug,  the website must  include an IFRAME and must be able to read any attribute of this element from HTTP parameters (GET/POST) without applying any charset filter. Then, in the IFRAME parameter,  the  srcdoc  attribute  may be included with JavaScript  code. The browser cannot filter it and will be executed.

An HTML injection on src parameter would be:

iframe src=""srcdoc="<script>alert('Bypass message')</script>"

For a proof of concept, visit:

 http://demofaast.elevenpaths.com:9002/xssbypass/iframebypass.php?iframe=%22srcdoc=%22%3Cscript%3Ealert('Bypass%20message')%3C/script%3E

The problem was reported in October, the 23rd. They fixed it two days later, making XSSAuditor catch reflected srcdoc properties even without an "IFRAME" tag injection. Chrome has just fixed it in recent 32.0.1700.76 version.

Safari for Mac and iPhone is vulnerable as well.



This weakness has been discovered by Ioseba Palop from Eleven Paths (ioseba.palop@...aths.com<mailto:ioseba.palop@...aths.com>). Full samples and detailed explanation here: http://blog.elevenpaths.com/2014/01/how-to-bypass-antixss-filter-in-chrome.html


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ