Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Google Chrome 24 Anti-XSS Filter Bypass
From: WHK Yan <yan.uniko.102 () gmail com>
Date: Mon, 21 Jan 2013 10:25:27 -0300

A security flaw allows an attacker to execute XSS attacks evading the
native filter AntiXSS.

A few days ago I found a way to circumvent the security system of the
current latest version of Google Chrome that prevents XSS attack and I have
left a temporary proof of concept here:

<p> var1: <?php echo $ _GET ['var1'];?> </ p>
<p> var2: <?php echo $ _GET ['var2'];?> </ p>

Filter Works: test.php?var1=<script>alert(document.cookie);/*&var2=*/</
Filter Bypass: test.php?var1=<script>alert(document.cookie);x='&var2=';</

The problem is that Chrome does not remove everything that is in front of
<script> allowing an attacker manage to obfuscate the code after the code
is injected.

Only filter comments in script tag.

To understand a little more of this we must first know that Google has
provided a filter that prevents an attacker aprobecharse your browser, but
... How real is it in practice?

Taking a look on the internet (
https://www.google.cl/search?q=bypass%20chrome%20xss%20filter) I realized
that over time there have been many ways to circumvent this security system
and today is no exception, but end user then it really serves this added
security system, the answer is NO and Microsoft knows very well also
because since the release of Internet Explorer 8 have tried to create
similar filters to prevent such attacks without positive results and that
each security conference to be held somewhere in the world there is always
someone who shows up with his new bypass your filter.

But ... What is XSS? ...
A technically XSS attack is when a web site prints everything that you send
may inject malicious code can eg steal user sessions, etc. But even though
this is purely because of a bad development WEB some companies opt for
trying prevent such situations directly through their products (browsers).

Was it reported?
I did report waiting to give me something to google bounty program (
but was told that was not covered xD indeed said they had some things
that if filtered and some not:

# 1 jsc ... @ chromium.org

That is correct. The XSS auditor does not filter script Explicitly
injection split across multiple variables. At some point we plan on
posting a document explaining what the XSS auditor can and can not filter.

Is it 100% effective?
The answer is too light and is a resounding NO, is like the case of a
virus, the same manufacturers say they can not ensure that detect more than
30% of all existing viruses, in the case of the filters you can ensure
neither antixss nobody ever you can hack through an XSS filter is actually
the factory and can not or do not want to delete, and will have to use it.

What are the risks of using anti XSS filters?
Some companies like Microsoft have had huge problems by imposing these
filters to users because some attackers manage to make such a filter is
placed against the same users can steal accounts websites have never had
problems security such as universal XSS case of Internet Explorer (
http://blackhat.com/html/bh-eu-10/bh-eu-10-briefings.html#Lindsay ). In
other issues of standards and programming since in some cases they send
some pages to a section where you send HTML content parameters and filters
antixss the interrupt, which goes against the standard HTTP protocol
because that's what URL encodings and proper web programming.

Mozilla is very clear
Today Mozilla Firefox does not use any filter antiXSS, why?, Because they
have clear, use an anti xss only attracts more hackers and hackers to try
to break those rules and effortlessly possible, try to impose filters is
like trying to cover the sun with one finger, XSS flaws are not the fault
of the explorers but developers of websites, for otherwise we often want to
test or teach people about how to take care of codes such situations but it
is only possible from mozilla firefox and others that do not include such a

From Mozilla Firefox recommend using NoScript addon (
https://wiki.mozilla.org/Security/Features/XSS_Filter ) for people who
really want a filter and not imposed. As always worrying about what we want
and not of what we consume.

(powered by Google Translator).

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]