Bug 127853

Summary: [XSSAuditor] Improve detection of inline event handlers
Product: WebKit Reporter: Fabien Duchene <fabien_duchene_vulnerability_report>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED WONTFIX    
Severity: Normal CC: bfulgham, dbates
Priority: P2 Keywords: XSSAuditor
Version: 528+ (Nightly build)   
Hardware: All   
OS: Unspecified   
URL: http://car-online.fr/en/CTF-tools/chrome_xss_2/?arg=onerror%3Dalert(1)
Attachments:
Description Flags
proof of concept of type-1 filter bypass none

Description Fabien Duchene 2014-01-29 13:41:56 PST 
Created attachment 222592 [details]
proof of concept of type-1 filter bypass

Hi,

If there is a reflection in the attribute context of a <SOURCE> tag, it seems the taint is not inferred in the event handlers, and as a result, such a reflection case is not catched by your Type-1 XSS filter.

eg:
<?php
global $_GET;
print('<video><source '.$_GET['arg'].'></source></video>');
?>

http://car-online.fr/en/CTF-tools/chrome_xss_2/?arg=onerror%3Dalert(1)

I understood that you only consider 1 parameter to be reflected, which is the case here.

Best,
Comment 1 Fabien Duchene 2014-01-29 13:48:32 PST 
tested on version: 32.0.1700.77
Comment 2 Fabien Duchene 2014-01-29 13:55:50 PST 
also tested:

32.0.1700.102
Comment 3 Daniel Bates 2014-02-11 12:21:40 PST 
Thanks Fabien for the bug report.

Towards reducing the number of false positives, the XSS Auditor does not detect the injection of an inline event handler within a tag. "We believe that the majority of such injections occur as part of breaking out of a quoted property and thus a request that does not contain a single or double quote can be allowed." (comment 0, bug #29944)
Comment 4 Daniel Bates 2014-02-11 12:28:03 PST 
This isn't a security bug. We should look to fix the following XSS Auditor tests: property-inject.html, property-escape-noquotes.html, and property-escape-noquotes-tab-slash-chars.html.
Comment 5 Brent Fulgham 2021-09-21 14:29:21 PDT 
The XSS Auditor is removed in Bug 230499.