Cross site scripting that lead to browser slow down and lead to the endless searching , Version 78.0.1 (64 bit window 8.1)
Categories
(Firefox :: Address Bar, defect, P5)
Tracking
()
People
(Reporter: saikolojitz, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36
Steps to reproduce:
1- By writing this payload javascript:x='%27-alert('but most of all, Mozilla is the best is' ')-%27'; Mozilla will search endlessly
2. if you write javascript:x='%27-alert('but most of all, Mozilla is the best')-%27'; removing one apostrophe, the browser will not search but stack
3. if you use copy and paste, the browser will automatically remove the word javascript
Actual results:
- stack the searching engine
- show the unresponsive script
- if I use javascript:x='%27-alert('but most of all, Mozilla is the best"')-%27'; the browser will search endlessly
Expected results:
1- as normal search, javascript:x='%27-alert(1)-%27'; should search normally and not stacking
2. the endless search of javascript:x='%27-alert('but most of all, Mozilla is the best is' ')-%27'; should search fine as well and not endless search that connects to nowhere
|
||
Comment 1•4 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
hi! how long does it take to confirm or to give the status of the bug? should I expect any thing ? thanks in advance
|
||
Comment 3•4 years ago
|
||
I can't reproduce this on Windows 10 or macOS. I tried both typing out the string a character at a time and pressing enter, and pasting the string and prepending javascript and pressing enter.
We have had older bugs due to regexps in the urlbar that caused Firefox to hang, and iirc it depended on your system whether you saw the hang and how long the string had to be. It's possible my computer is too fast to see this. Are you testing on a slow machine or a slow virtual machine? Can you find a longer string that reproduces the problem?
Thanks, am using window 8.1 on HP machine, I don't think if I can scale it any more. if you can't reproduce it, it can be marked as won't fix, if I will get POC that will work in your machine, I will let you know. thanks
|
|
||
Comment 5•4 years ago
|
||
There's no harm in leaving this open because as I say we've had similar problems before, so I'd understand if we still have problems even if I can't reproduce this one. I also tried typing random characters in the middle of the string to make it longer and I still wasn't able to reproduce it.
Could you clarify whether you press the enter key after typing the string? Or does the hang happen without pressing the enter key? Does Firefox become completely unresponsive when this happens, or are you able to switch tabs, etc.?
-
I usually press the enter key after typing the string, but I also tried to press the arrow button on the address bar, still, it has the same behaviour.
-
firefox did not go completely unresponsive, but if you leave the endless search for a few minutes, will crash by showing unresponsive chrome/browser/content/....js unresponsive script. (I did a mistake, not notes the number of js file that was shown as I was rushed on finding the solution)
-
I updated my firefox two days ago, from Firefox 78.0.2 (20200708170202) to Firefox 79.0 (20200720193547). when I tried it again on updated (Firefox 79.0 (20200720193547), I noted that there is no endless search any more, but copying the payload javascript:x='%27-alert('but most of all, Mozilla is the best is' ')-%27'; the word "javascript" will be stripped out and only x='%27-alert('but most of all, Mozilla is the best is' ')-%27'; will remain,
-
if you type the payload, then by pressing enter or pressing the arrow button at the search bar, Firefox will not search, act like nothing is in the address bar, or like no any key/button pressed. this applied on Firefox 79.0 (20200720193547).
|
|
||
Comment 7•4 years ago
|
||
(In reply to htester from comment #6)
- I updated my firefox two days ago, from Firefox 78.0.2 (20200708170202) to Firefox 79.0 (20200720193547). when I tried it again on updated (Firefox 79.0 (20200720193547), I noted that there is no endless search any more
So you can't reproduce this bug anymore, is that correct?
but copying the payload javascript:x='%27-alert('but most of all, Mozilla is the best is' ')-%27'; the word "javascript" will be stripped out and only x='%27-alert('but most of all, Mozilla is the best is' ')-%27'; will remain,
Yes, this is intentional, in order to protect users from scams that ask them to paste and run Javascript in the urlbar. People who know what they're doing can manually add it back after pasting.
- if you type the payload, then by pressing enter or pressing the arrow button at the search bar, Firefox will not search, act like nothing is in the address bar, or like no any key/button pressed. this applied on Firefox 79.0 (20200720193547).
This is not intentional and is bug 1506100.
The endless search by payload javascript:x='%27-alert('but most of all, Mozilla is the best is' ')-%27'; now it works only on a new tab, but if you have searched anything(opened any website) the search wON'T do anything, as you referenced the bug above
|
|
||
Comment 9•4 years ago
|
||
Well, I still can't reproduce this on 79 and Nightly regardless of whether I try it on a new tab or a loaded page. I can't imagine how that would matter anyway.
Are there any errors in the browser console?
|
Reporter | |
Comment 10•4 years ago
|
||
No, I got no error, but I think this is OS-based issue, if you can't reproduce it. To me, it shows up in both normal and private window. if not OS-based, it is an issue of Google search in address bar as this payload in Google chrome address bar fires self-XSS if you open anything or if is a new tab, the payload will disappear.
| Comment hidden (admin-reviewed, off-topic) |
Description
•