Bypassing Chrome’s Anti-XSS filter

Background

While reading the tweets I came across this link which described how to bypass the chrome’s Anti-XSS filter. So I thought why not put the same on my blog side. Actually I like the entire idea or rather the attack vector which is being used in the finding. So the data below is all his and I have just rewritten in my way.

Getting Started

Now in order to bypass this I have made a vulnerable page at http://www.dhirajranka.com/misc/anti-xss.php. It simply reads two GET parameters, viz., “a” and “b“, and it prints the same.

To start the demonstration we can start by injecting the HTML tags and see if it renders.
HTML Injection

HTML Injection

Now that we want to make XSS work, so we will try inject the alert function of JavaScript and we will see that it will not work.

http://www.dhirajranka.com/misc/anti-xss.php?a=attack_vector&b=demo

attack_vector=<script>alert(‘XSS’);</script>

SCRIPT Injection

SCRIPT Injection

Now if we carefully notice that I have highlighted the <script> tag in the source code, in this code we are unable to locate the alert function of ours, as Chrome as detected the same and filtered out the alert popup and kept an empty script for us L. Now the question is how we would bypass this. So I have removed the closing script tag and observe the browser reaction for the same:

http://www.dhirajranka.com/misc/anti-xss.php?a=attack_vector&b=demo

attack_vector=<script>alert(‘XSS’)

SCRIPT Injection without closing tag

SCRIPT Injection without closing tag

Over here, Chrome didn’t remove the script tag rather it actually added a closing script tag of its own to finish it, right before the end of the body tag. So even this trick didn’t worked for us as all the text and HTML (including my signature at bottom) is now embedded in the script environment. As we know that JavaScript interpreter will not render the HTML tags so we won’t get the alert popup. The main aim is to somehow make our JavaScript work with data we pass in two variables of ours. This can achieved using the following trick in the values of parameters.

http://www.dhirajranka.com/misc/anti-xss.php?a=attack_vector&b=attack_vector2

attack_vector=<script>alert(‘XSS’);/*
attack_vector2=*/</script>

Success

Success

At last, it worked!!! The multi-line comment means nothing to HTML, but when we place them in JavaScript environment it means a world to them.

Summary

In order to bypass the Anti-XSS filter of chrome we need two variables under our control, split the script code using multi-line comments.

Reference

http://blog.securitee.org/?p=37

Tagged with: , , ,