Bypassing XSS Auditor in Google Chrome

I was playing around with a site belonging to the fellow writer blacktom, who also posts stuff in this blog. Anyway, blacktom developed this particular site about 7-8 years ago and did a classic mistake, no bad feelings :) , he used encoding where he should have used encryption.

Successful exploitation of the flaw would result in a reflected XSS transported via the URL (GET method). Although this flaw could lead to more serious things (remember, PHP uses a problematic function to decode base64 which could lead to remote shells etc), I just stored somewhere the URL, actually I have a bunch of .txt files with vuln sites that I found from time to time.

Anyway, a long time ago I stopped using Chrome when I was pentesting, because of the Firefox plugins that allowed a significant extension of the features. Also, Chrome didn’t allow testing for XSS vulnerabilities. Being lucky, I opened blacktom’s vuln app with Chrome and an alert stating XSS popped. Long story short, I tried a various combinations which all worked. So, bypassing XSS auditor is possible in another way, remember the <svg> tags allowing bypassing too.

I went on , trying document.cookie, AJAX to this server and all worked fine. I assumed that Chrome offers no auditing inside base64 encoded data for XSS. I filed a security bug about this, in which I will come back later. Anyway, thing is you can bypass XSS Auditor in Chrome using base64 encoding wherever this is allowed by the under attack web page :)

Back to the security bug, this is not the first time I find a security bug in a software and I file a report, but it is the first time that within a few hours I had a response, immediate, clear and thankful, from the developers. I had vulnerabilities(commonly called 0days, btw this is not a 0day 😛 ) before in major web applications and social networking sites and either they didn’t respond or even worse, their team couldn’t go further than TRUE or FALSE given the vulnerable variable and a classic, for example SQLi string.

So, Congratulations for the response and the product to all the guys behind chrome :)

Leave a Reply

Your email address will not be published. Required fields are marked *