Bypassing Chrome’s Anti-XSS filter
While reading the tweets I came across this link which described how to bypass the chrome’s Anti-XSS filter. So I thought why not put the same on my blog side. Actually I like the entire idea or rather the attack vector which is being used in the finding. So the data below is all his and I have just rewritten in my way.
Now in order to bypass this I have made a vulnerable page at http://www.dhirajranka.com/misc/anti-xss.php. It simply reads two GET parameters, viz., “a” and “b“, and it prints the same.
To start the demonstration we can start by injecting the HTML tags and see if it renders.
Now if we carefully notice that I have highlighted the <script> tag in the source code, in this code we are unable to locate the alert function of ours, as Chrome as detected the same and filtered out the alert popup and kept an empty script for us L. Now the question is how we would bypass this. So I have removed the closing script tag and observe the browser reaction for the same:
SCRIPT Injection without closing tag
In order to bypass the Anti-XSS filter of chrome we need two variables under our control, split the script code using multi-line comments.