Bug 127853 - [XSSAuditor] Improve detection of inline event handlers
Summary: [XSSAuditor] Improve detection of inline event handlers
Status: RESOLVED WONTFIX
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: All Unspecified
: P2 Normal
Assignee: Nobody
URL: http://car-online.fr/en/CTF-tools/chr...
Keywords: XSSAuditor
Depends on:
Blocks:
 
Reported: 2014-01-29 13:41 PST by Fabien Duchene
Modified: 2021-09-21 14:29 PDT (History)
2 users (show)

See Also:


Attachments
proof of concept of type-1 filter bypass (91.35 KB, image/png)
2014-01-29 13:41 PST, Fabien Duchene
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Fabien Duchene 2014-01-29 13:41:56 PST
Created attachment 222592 [details]
proof of concept of type-1 filter bypass

Hi,

If there is a reflection in the attribute context of a <SOURCE> tag, it seems the taint is not inferred in the event handlers, and as a result, such a reflection case is not catched by your Type-1 XSS filter.

eg:
<?php
global $_GET;
print('<video><source '.$_GET['arg'].'></source></video>');
?>

http://car-online.fr/en/CTF-tools/chrome_xss_2/?arg=onerror%3Dalert(1)

I understood that you only consider 1 parameter to be reflected, which is the case here.

Best,
Comment 1 Fabien Duchene 2014-01-29 13:48:32 PST
tested on version: 32.0.1700.77
Comment 2 Fabien Duchene 2014-01-29 13:55:50 PST
also tested:

32.0.1700.102
Comment 3 Daniel Bates 2014-02-11 12:21:40 PST
Thanks Fabien for the bug report.

Towards reducing the number of false positives, the XSS Auditor does not detect the injection of an inline event handler within a tag. "We believe that the majority of such injections occur as part of breaking out of a quoted property and thus a request that does not contain a single or double quote can be allowed." (comment 0, bug #29944)
Comment 4 Daniel Bates 2014-02-11 12:28:03 PST
This isn't a security bug. We should look to fix the following XSS Auditor tests: property-inject.html, property-escape-noquotes.html, and property-escape-noquotes-tab-slash-chars.html.
Comment 5 Brent Fulgham 2021-09-21 14:29:21 PDT
The XSS Auditor is removed in Bug 230499.