Another XSS auditor bypass

Thursday, 19 February 2015

This bug is similar to the last one I posted but executes in a different context. It requires an existing script after the injection because we use it to close the injected script. It’s a shame chrome doesn’t support self closing scripts in HTML or within a SVG element because I’m pretty sure I could bypass it without using an existing script. Anyway the injection uses a data url with a script. In order to bypass the filter we need to concat the string with the quote from the attribute or use html entities such as //. The HTML parser doesn’t care how much junk is between the opening and closing script since we are using a src attribute.

PoC
PoC2

The entry 'Another XSS auditor bypass' was posted on February 19th, 2015 at 7:50 pm and last modified on February 19th, 2015 at 7:51 pm, and is filed under Security, xss. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed :( too much spam. If you want to contact me about any article please email or tweet me.

M	T	W	T	F	S	S
« Jan				Mar »
						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28

Another XSS auditor bypass

Inspiration

Recent Comments