Closed Bug 991186 Opened 11 years ago Closed 11 years ago

Wrong HTML parsing which support easiest XSS exploiting

Categories

(Firefox :: General, defect)

28 Branch
x86
Windows 7
defect
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: tomek.tomczyk.pwa, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:28.0) Gecko/20100101 Firefox/28.0 (Beta/Release) Build ID: 20140314220517 Steps to reproduce: Today I have done security audit for one of my websites and I found stupid mistake when I tried to bypass slash-escaping filter. On Firefox the XSS payload works, but on Chrome not. I tested an API webpage and code is something like that: {"name":"<USER_GET_DATA>","details":null} Filter works when we try to add <body onload="alert(0)"> as an example, the result: {"name":"<body onload=\"javascript:alert(0)\">","details":null} But then I deleted the " character and the payload works. I know that security checks should be done on the webserver side, but this trick works only on Firefox, when I tried to do this on the Google Chrome - it shows just output, but nothing happened. Actual results: After deleting " character the payload works, example: <body onload=javascript:alert(0)> will be executed. That's very unsafe feature, because some websites just use slash escaping and that normally should works, but Firefox interpreter execute the javascript. Expected results: Nothing, it should just show the code without executing the script.
Component: Untriaged → General
Firefox does not currently have an xss filter like what you mention in Chrome or IE, so the parsing is correct for HTML. This feature has been suggested and is being worked on in bug 528661 and discussed on a feature page here https://wiki.mozilla.org/Security/Features/XSS_Filter
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.