Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Google Chrome 24 Anti-XSS Filter Bypass
From: Jakub Zoczek <zoczus () gmail com>
Date: Mon, 21 Jan 2013 16:32:11 +0100

Hello,

Result of your php code is in 1 line. That's why your payload is parsed
correctly. On my test server, your test.php code returned two lines, and
browser gives me javascript parse error :) SO - if we have possibility to
create our full javascript payload without syntax problems by multiple
GET/POST variables - it seems to be working (same as most DOM-Based XSS) -
probably because of putting just part of the code to execute into variable
in request.

I also tried to search some method to bypass XSSAuditor - you can check
more details about method
here<http://zoczus.blogspot.com/2013/01/chrome-i-xssauditor.html>.
(in Polish).

Cheers!
JZ



On Mon, Jan 21, 2013 at 2:25 PM, WHK Yan <yan.uniko.102 () gmail com> wrote:

Sumary
----------
A security flaw allows an attacker to execute XSS attacks evading the
native filter AntiXSS.

Details
---------
A few days ago I found a way to circumvent the security system of the
current latest version of Google Chrome that prevents XSS attack and I have
left a temporary proof of concept here:
http://ec2-50-16-152-72.compute-1.amazonaws.com/chrome-filterxss-bypass.php

test.php
<p> var1: <?php echo $ _GET ['var1'];?> </ p>
<p> var2: <?php echo $ _GET ['var2'];?> </ p>

Filter Works: test.php?var1=<script>alert(document.cookie);/*&var2=*/</
script>
Filter Bypass: test.php?var1=<script>alert(document.cookie);x='&var2=';</
script>

The problem is that Chrome does not remove everything that is in front of
<script> allowing an attacker manage to obfuscate the code after the code
is injected.


http://trac.webkit.org/browser/trunk/Source/WebCore/html/parser/XSSAuditor.cpp?rev=119184#L91
Only filter comments in script tag.

To understand a little more of this we must first know that Google has
provided a filter that prevents an attacker aprobecharse your browser, but
... How real is it in practice?

Taking a look on the internet (
https://www.google.cl/search?q=bypass%20chrome%20xss%20filter) I realized
that over time there have been many ways to circumvent this security system
and today is no exception, but end user then it really serves this added
security system, the answer is NO and Microsoft knows very well also
because since the release of Internet Explorer 8 have tried to create
similar filters to prevent such attacks without positive results and that
each security conference to be held somewhere in the world there is always
someone who shows up with his new bypass your filter.

But ... What is XSS? ...
A technically XSS attack is when a web site prints everything that you
send may inject malicious code can eg steal user sessions, etc. But even
though this is purely because of a bad development WEB some companies opt
for trying prevent such situations directly through their products
(browsers).

Was it reported?
I did report waiting to give me something to google bounty program (
http://www.chromium.org/Home/chromium-security/vulnerability-rewards-program) but was told that was not covered xD 
indeed said they had some things
that if filtered and some not:

https://code.google.com/p/chromium/issues/detail?id=171114
# 1 jsc ... @ chromium.org

That is correct. The XSS auditor does not filter script Explicitly
injection split across multiple variables. At some point we plan on
posting a document explaining what the XSS auditor can and can not filter.

Is it 100% effective?
The answer is too light and is a resounding NO, is like the case of a
virus, the same manufacturers say they can not ensure that detect more than
30% of all existing viruses, in the case of the filters you can ensure
neither antixss nobody ever you can hack through an XSS filter is actually
the factory and can not or do not want to delete, and will have to use it.

What are the risks of using anti XSS filters?
Some companies like Microsoft have had huge problems by imposing these
filters to users because some attackers manage to make such a filter is
placed against the same users can steal accounts websites have never had
problems security such as universal XSS case of Internet Explorer (
http://blackhat.com/html/bh-eu-10/bh-eu-10-briefings.html#Lindsay ). In
other issues of standards and programming since in some cases they send
some pages to a section where you send HTML content parameters and filters
antixss the interrupt, which goes against the standard HTTP protocol
because that's what URL encodings and proper web programming.

Mozilla is very clear
Today Mozilla Firefox does not use any filter antiXSS, why?, Because they
have clear, use an anti xss only attracts more hackers and hackers to try
to break those rules and effortlessly possible, try to impose filters is
like trying to cover the sun with one finger, XSS flaws are not the fault
of the explorers but developers of websites, for otherwise we often want to
test or teach people about how to take care of codes such situations but it
is only possible from mozilla firefox and others that do not include such a
filter.

From Mozilla Firefox recommend using NoScript addon (
https://wiki.mozilla.org/Security/Features/XSS_Filter ) for people who
really want a filter and not imposed. As always worrying about what we want
and not of what we consume.

(powered by Google Translator).

Mirror
--------
http://whk.drawcoders.net/index.php/topic,2889.0.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault