Bug 27405

Summary: [XSSAuditor] URL encoded ampersand can be used to bypass XSSAuditor
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebKit Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, sam
Priority: P2 Keywords: XSSAuditor
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
URL: http://webblaze.org/dbates/xsstest.php?q=<a href='about:blank' onclick=alert('%26q')>Test</a>
Attachments:
Description Flags
Patch with tests abarth: review+

Daniel Bates
Reported 2009-07-17 22:52:46 PDT
When decoding HTML entities (XSSAuditor::decodeHTMLEntities), the ampersand is removed and the supposed entity is consumed. If the entity turns out to be invalid, such as an unknown named entity, then a null-character is inserted into the decoded result, which creates a discrepancy between the script code and the HTTP parameters. Consider: Inline Event Handler: http://webblaze.org/dbates/xsstest.php?q=%3Ca%20href='http://www.webblaze.org'%20onclick='alert(/%26XSS/)'%3EClick%3C/a%3E JavaScript Link: http://webblaze.org/dbates/xsstest.php?q=%3Ca%20href=javascript:alert(/%26XSS/)%3EClick%3C/a%3E
Attachments
Patch with tests (4.91 KB, patch)
2009-07-17 22:56 PDT, Daniel Bates 		abarth: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2009-07-17 22:56:28 PDT
Created attachment 33007 [details] Patch with tests
Adam Barth
Comment 2 2009-07-17 23:12:18 PDT
Comment on attachment 33007 [details] Patch with tests Yes.
Adam Barth
Comment 3 2009-07-17 23:20:25 PDT
Committing to http://svn.webkit.org/repository/webkit/trunk ... M LayoutTests/ChangeLog A LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt A LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand.html A LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt A LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand.html M WebCore/ChangeLog M WebCore/page/XSSAuditor.cpp Committed r46086 M WebCore/ChangeLog M WebCore/page/XSSAuditor.cpp A LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt A LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand.html A LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt A LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand.html M LayoutTests/ChangeLog r46086 = 209a4aa2f77640ff10c4bb3e541c94cc9ee1a53d (trunk) No changes between current HEAD and refs/remotes/trunk Resetting to the latest refs/remotes/trunk http://trac.webkit.org/changeset/46086
Note You need to log in before you can comment on or make changes to this bug.