Hello, Result of your php code is in 1 line. That's why your payload is parsed correctly. On my test server, your test.php code returned two lines, and browser gives me javascript parse error :) SO - if we have possibility to create our full javascript payload without syntax problems by multiple GET/POST variables - it seems to be working (same as most DOM-Based XSS) - probably because of putting just part of the code to execute into variable in request.
I also tried to search some method to bypass XSSAuditor - you can check more details about method here<http://zoczus.blogspot.com/2013/01/chrome-i-xssauditor.html>. (in Polish). Cheers! JZ On Mon, Jan 21, 2013 at 2:25 PM, WHK Yan <yan.uniko....@gmail.com> wrote: > Sumary > ---------- > A security flaw allows an attacker to execute XSS attacks evading the > native filter AntiXSS. > > Details > --------- > A few days ago I found a way to circumvent the security system of the > current latest version of Google Chrome that prevents XSS attack and I have > left a temporary proof of concept here: > http://ec2-50-16-152-72.compute-1.amazonaws.com/chrome-filterxss-bypass.php > > test.php > <p> var1: <?php echo $ _GET ['var1'];?> </ p> > <p> var2: <?php echo $ _GET ['var2'];?> </ p> > > Filter Works: test.php?var1=<script>alert(document.cookie);/*&var2=*/</ > script> > Filter Bypass: test.php?var1=<script>alert(document.cookie);x='&var2=';</ > script> > > The problem is that Chrome does not remove everything that is in front of > <script> allowing an attacker manage to obfuscate the code after the code > is injected. > > > http://trac.webkit.org/browser/trunk/Source/WebCore/html/parser/XSSAuditor.cpp?rev=119184#L91 > Only filter comments in script tag. > > To understand a little more of this we must first know that Google has > provided a filter that prevents an attacker aprobecharse your browser, but > ... How real is it in practice? > > Taking a look on the internet ( > https://www.google.cl/search?q=bypass%20chrome%20xss%20filter) I realized > that over time there have been many ways to circumvent this security system > and today is no exception, but end user then it really serves this added > security system, the answer is NO and Microsoft knows very well also > because since the release of Internet Explorer 8 have tried to create > similar filters to prevent such attacks without positive results and that > each security conference to be held somewhere in the world there is always > someone who shows up with his new bypass your filter. > > But ... What is XSS? ... > A technically XSS attack is when a web site prints everything that you > send may inject malicious code can eg steal user sessions, etc. But even > though this is purely because of a bad development WEB some companies opt > for trying prevent such situations directly through their products > (browsers). > > Was it reported? > I did report waiting to give me something to google bounty program ( > http://www.chromium.org/Home/chromium-security/vulnerability-rewards-program) > but was told that was not covered xD indeed said they had some things > that if filtered and some not: > > https://code.google.com/p/chromium/issues/detail?id=171114 > > # 1 jsc ... @ chromium.org > > > > That is correct. The XSS auditor does not filter script Explicitly > injection split across multiple variables. At some point we plan on > posting a document explaining what the XSS auditor can and can not filter. > > Is it 100% effective? > The answer is too light and is a resounding NO, is like the case of a > virus, the same manufacturers say they can not ensure that detect more than > 30% of all existing viruses, in the case of the filters you can ensure > neither antixss nobody ever you can hack through an XSS filter is actually > the factory and can not or do not want to delete, and will have to use it. > > What are the risks of using anti XSS filters? > Some companies like Microsoft have had huge problems by imposing these > filters to users because some attackers manage to make such a filter is > placed against the same users can steal accounts websites have never had > problems security such as universal XSS case of Internet Explorer ( > http://blackhat.com/html/bh-eu-10/bh-eu-10-briefings.html#Lindsay ). In > other issues of standards and programming since in some cases they send > some pages to a section where you send HTML content parameters and filters > antixss the interrupt, which goes against the standard HTTP protocol > because that's what URL encodings and proper web programming. > > Mozilla is very clear > Today Mozilla Firefox does not use any filter antiXSS, why?, Because they > have clear, use an anti xss only attracts more hackers and hackers to try > to break those rules and effortlessly possible, try to impose filters is > like trying to cover the sun with one finger, XSS flaws are not the fault > of the explorers but developers of websites, for otherwise we often want to > test or teach people about how to take care of codes such situations but it > is only possible from mozilla firefox and others that do not include such a > filter. > > From Mozilla Firefox recommend using NoScript addon ( > https://wiki.mozilla.org/Security/Features/XSS_Filter ) for people who > really want a filter and not imposed. As always worrying about what we want > and not of what we consume. > > (powered by Google Translator). > > Mirror > -------- > http://whk.drawcoders.net/index.php/topic,2889.0.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/