Google Chrome 43.0.2357.124 XSS Filter Bypass

Posted on Posted in Exploit

Google Chrome version 43.0.2357.124 suffers from a cross site scripting filter bypass vulnerability.

Hi! Just wanted to share my finding. I’ve found a way to bypass
Chrome’s anti-xss filter. This bypass is universal, and it defeats
Chrome’s XSSAuditor in all cases!

If you find it interesting for you, or for your readers, here are the details:

Description

XSS attacks occur when one website injects JavaScript code into
otherwise legitimate requests to another website. The injected script
generally attempts to access privileged information. The XSS Filter
detects JavaScript in URL and HTTP POST requests. If JavaScript is
detected, the XSS Filter searches evidence of reflection. If
reflection is detected, the XSS Filter sanitizes the original request
so that the additional JavaScript cannot be executed. However, the XSS
filter can by bypassed with leading regexp inside svg script tag.
Details

Title: Google Chrome Anti-XSS Filter Bypass
Affected Products: Google Chrome 43.0.2357.124 m (letest stable version)
Discovery Date: 16-06-15
Author: Yosi Ovadia (http://vulnerable.info/)
Payload: <svg><script>/<1/>alert(document.domain)</script></svg>

POC

http://vulnerable.info/poc/poc.php?foo=%3Csvg%3E%3Cscript%3E/%3C1/%3Ealert(document.domain)%3C/script%3E%3C/svg%3E
Reporting

The issue was reported to chromium security team, and was fixed within 5
hours. The team marked it as a significant bypass.
Patch

https://codereview.chromium.org/1187843005/
Revision

http://src.chromium.org/viewvc/blink?view=revision&revision=197282

Quelle: PacketStormSecurity

Facebooktwittergoogle_plus