Bug 66580 - XSS Filter Bypass with long strings
Summary: XSS Filter Bypass with long strings
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords: XSSAuditor
Depends on:
Blocks: 66579
  Show dependency treegraph
 
Reported: 2011-08-19 13:50 PDT by Adam Barth
Modified: 2011-09-02 14:57 PDT (History)
3 users (show)

See Also:


Attachments
test case (890 bytes, application/zip)
2011-08-19 13:50 PDT, Adam Barth
no flags Details
Static version of post response (20.15 KB, text/plain)
2011-09-02 12:36 PDT, Thomas Sepez
no flags Details
Proposed TestCase (47.95 KB, patch)
2011-09-02 14:08 PDT, Thomas Sepez
no flags Details | Formatted Diff | Diff
Proposed test case with "" typo removed. (47.95 KB, patch)
2011-09-02 14:13 PDT, Thomas Sepez
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Adam Barth 2011-08-19 13:50:24 PDT
Created attachment 104557 [details]
test case

http://code.google.com/p/chromium/issues/detail?id=77731

VULNERABILITY DETAILS
On pages that render a large amount of user input it is possible to bypass the XSS filter.

VERSION
Chrome Version: 11.0.696.25 beta
Operating System: Windows Vista SP2

REPRODUCTION CASE

The attachment contains two files: a PHP file and an HTML file. Host the PHP file and update the form action in the HTML file to point to it. Open a new chrome tab and navigate to the HTML file.
 	xss-filter-bypass.zip 
890 bytes   Download
Comment 1 Thomas Sepez 2011-09-02 12:35:11 PDT
Adam, DNR using chrome 14 on linux.  Didn't have php, but using a static file who's output matches what we'd expect from your static input file.  Console reports the xss filter caught it.  I'll add my static output as an attachment.
Comment 2 Thomas Sepez 2011-09-02 12:36:29 PDT
Created attachment 106176 [details]
Static version of post response
Comment 3 Adam Barth 2011-09-02 12:38:38 PDT
Yeah, I think I fixed in an earlier patch.  We probably should convert your static test to a LayoutTest and close this bug.
Comment 4 Thomas Sepez 2011-09-02 14:08:08 PDT
Created attachment 106195 [details]
Proposed TestCase
Comment 5 Thomas Sepez 2011-09-02 14:13:29 PDT
Created attachment 106196 [details]
Proposed test case with "" typo removed.
Comment 6 WebKit Review Bot 2011-09-02 14:57:03 PDT
Comment on attachment 106196 [details]
Proposed test case with "" typo removed.

Clearing flags on attachment: 106196

Committed r94451: <http://trac.webkit.org/changeset/94451>
Comment 7 WebKit Review Bot 2011-09-02 14:57:09 PDT
All reviewed patches have been landed.  Closing bug.