27405 – [XSSAuditor] URL encoded ampersand can be used to bypass XSSAuditor

RESOLVED FIXED 27405

[XSSAuditor] URL encoded ampersand can be used to bypass XSSAuditor

https://bugs.webkit.org/show_bug.cgi?id=27405

Summary [XSSAuditor] URL encoded ampersand can be used to bypass XSSAuditor

Daniel Bates

Reported 2009-07-17 22:52:46 PDT

When decoding HTML entities (XSSAuditor::decodeHTMLEntities), the ampersand is removed and the supposed entity is consumed. If the entity turns out to be invalid, such as an unknown named entity, then a null-character is inserted into the decoded result, which creates a discrepancy between the script code and the HTTP parameters. Consider: Inline Event Handler: http://webblaze.org/dbates/xsstest.php?q=%3Ca%20href='http://www.webblaze.org'%20onclick='alert(/%26XSS/)'%3EClick%3C/a%3E JavaScript Link: http://webblaze.org/dbates/xsstest.php?q=%3Ca%20href=javascript:alert(/%26XSS/)%3EClick%3C/a%3E

Attachments
Patch with tests (4.91 KB, patch) 2009-07-17 22:56 PDT, Daniel Bates	abarth: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Daniel Bates

Comment 1 2009-07-17 22:56:28 PDT

Created attachment 33007 [details] Patch with tests

Adam Barth

Comment 2 2009-07-17 23:12:18 PDT

Comment on attachment 33007 [details] Patch with tests Yes.

Adam Barth

Comment 3 2009-07-17 23:20:25 PDT

Committing to http://svn.webkit.org/repository/webkit/trunk ... M LayoutTests/ChangeLog A LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt A LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand.html A LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt A LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand.html M WebCore/ChangeLog M WebCore/page/XSSAuditor.cpp Committed r46086 M WebCore/ChangeLog M WebCore/page/XSSAuditor.cpp A LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt A LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand.html A LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt A LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand.html M LayoutTests/ChangeLog r46086 = 209a4aa2f77640ff10c4bb3e541c94cc9ee1a53d (trunk) No changes between current HEAD and refs/remotes/trunk Resetting to the latest refs/remotes/trunk http://trac.webkit.org/changeset/46086

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component WebKit Misc.

Assignee

Nobody

Reported

2009-07-17 22:52 PDT

Modified

2009-07-17 23:20 PDT History

CC List

2 users Show

URL

http://webblaze.org/dbates/xsstest.php?q=<a href='about:blank' onclick=alert('%26q')>Test</a>

Keywords XSSAuditor

Depends on

Blocks