Bypassing Chrome XSS filter + Apache mod

sla.ckers.org is
ha.ckers sla.cking

Q and A for any cross site scripting information. Feel free to ask away.

Go to Topic: Previous•Next

Go to: Forum List•Message List•New Topic•Search•Log In

Bypassing Chrome XSS filter + Apache mod_security?

Posted by: serpentine85

Date: April 02, 2012 09:35PM

The site I found an XSS on appears to be using mod_security. Anything with "<script" or "< script" in the URL returns a 403 page. Googling around shows that there are numerous possible workarounds to the filter; however, I'm not sure how I can combine it with bypassing Chrome's filter.

<svg><script>//
alert(1)</script> works with Chrome (due to a current bug in Chrome's XSS filter), but not mod_security, due to mod_security not allowing <script

<img src="x:blah" onerror="alert(1)"> seems to bypass mod_security, but Chrome strips onerror and all other on attributes.

Both these filters are definitely vulnerable, but I don't know how to make something that'll bypass both.

I control the attribute of an <a onclick="">, and there's no escaping or filtering done by the web app itself. So "> does break me out. I only control that one variable though.

Any ideas?

Thanks.

Edited 1 time(s). Last edit at 04/02/2012 09:35PM by serpentine85.

Options: Reply•Quote

Re: Bypassing Chrome XSS filter + Apache mod_security?

Posted by: Albino

Date: April 03, 2012 03:27AM

Could you inject alert(1)" style="position:absolute;top:0px;left:0px;right:0px;bottom:0px

to make a link that executes js on a click and covers the entire screen?

-------------------------------------------------------
Research blog

Options: Reply•Quote

Re: Bypassing Chrome XSS filter + Apache mod_security?

Posted by: serpentine85

Date: April 04, 2012 01:59AM

This does work, but I was kind of hoping for it to auto-execute upon page load.

Options: Reply•Quote

Re: Bypassing Chrome XSS filter + Apache mod_security?

Posted by: PaPPy

Date: April 05, 2012 04:13PM

is onmouseover restricted?
if not use the same style so anywhere on screen they move the mouse, it will cause the xss to run

http://www.xssed.com/archive/author=PaPPy/

Options: Reply•Quote

Re: Bypassing Chrome XSS filter + Apache mod_security?

Posted by: serpentine85

Date: April 05, 2012 05:19PM

Chrome's XSS filter seems to filter all "on" attributes, including "onload" "onerror" "onmouseover" etc.

However, there is a current bug in Chrome's filter that allows the injection of only <script> tags in combination with some comments. And yet Apache mod_security seems to ONLY filter <script> tags in the URL, while not doing much about filtering attributes. mod_security blocks < script, < sCrIpT, and all derivations of that.

Odds are there's no way to slip in a "<script" past mod_security, and unless I find a new unpatched exploit with Chrome's filter (and I fiddled around with various things for a while, but all the bugs are found within <script> tag parsing and nothing else), this is probably gonna be impossible.

Options: Reply•Quote

Go to: Forum List•Message List•Search•Log In

Sorry, only registered users may post in this forum.

Click here to login