Bypass chrome xss filter

Http://www.bkjia.com/Article/201110/109037.html

 

I buried a hole in my first article and did not elaborate on the CSP strategy.

 

Http://www.bkjia.com/Article/201110/109038.html

In the last article, there was actually a pitfall, but the interception method was not described in detail.

 

In fact, what we saw before is illusory, and those scripts are dynamically rendered. We are always in a box. Let's break this box and look down.

 

Looking at the following code, we have removed the </body> tag.

<Html>
<Head> <Body>
<? Php
Echo $ _ GET ['a'];
?>
<Script>
Alert (document. getElementsByTagName ('body') [0]. innerHTML );
</Script>
</Html>

 

The program automatically fixes the closed body tag. At the same time, we can see that the attribute value of the unclosed IMG tag actually eats the next tag. You should understand it here, or the label correction issue.

 

The Program understands this with no closed labels. The content after onerror = is all suspicious script content and needs to be corrected.

xxxxxxx </script>

So it was corrected

xxxxxxx

 

After understanding this, I will make a 0-day attack, hoping to help you understand the Security Prototype:

 

In this scenario, the next node of the tag output by XSS is a <script> tag or the simulated code above, but this time the body tag is closed.

<Html>
<Head> <Body>
<? Php
Echo $ _ GET ['a'];
?>
<Script>
Alert (document. getElementsByTagName ('body') [0]. innerHTML );
</Script>
</Body>
</Html>

 

Because I have not closed the script tag, according to the tag correction feature of the chrome xss filter, it will find the content of the next tag and find that the multiple <script> tags are corrected, then 0 day was born and our cross-site script was executed.

 

Summary:

The tag correction feature of chrome xss filter has a vulnerability. In specific scenarios where tag attribute values are not closed and complete tags are not closed, Cross-Site Script content can be executed.

From the black box of RAyh4c