Closed
Bug 991186
Opened 11 years ago
Closed 11 years ago
Wrong HTML parsing which support easiest XSS exploiting
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: tomek.tomczyk.pwa, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:28.0) Gecko/20100101 Firefox/28.0 (Beta/Release)
Build ID: 20140314220517
Steps to reproduce:
Today I have done security audit for one of my websites and I found stupid mistake when I tried to bypass slash-escaping filter. On Firefox the XSS payload works, but on Chrome not.
I tested an API webpage and code is something like that:
{"name":"<USER_GET_DATA>","details":null}
Filter works when we try to add <body onload="alert(0)"> as an example, the result:
{"name":"<body onload=\"javascript:alert(0)\">","details":null}
But then I deleted the " character and the payload works.
I know that security checks should be done on the webserver side, but this trick works only on Firefox, when I tried to do this on the Google Chrome - it shows just output, but nothing happened.
Actual results:
After deleting " character the payload works,
example: <body onload=javascript:alert(0)> will be executed.
That's very unsafe feature, because some websites just use slash escaping and that normally should works, but Firefox interpreter execute the javascript.
Expected results:
Nothing, it should just show the code without executing the script.
Reporter | ||
Updated•11 years ago
|
Component: Untriaged → General
Firefox does not currently have an xss filter like what you mention in Chrome or IE, so the parsing is correct for HTML. This feature has been suggested and is being worked on in bug 528661 and discussed on a feature page here https://wiki.mozilla.org/Security/Features/XSS_Filter
Updated•11 years ago
|
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•