The Spanner Blog : Bypassing XSSAuditor

Written by on March 4, 2013 in Experience - No comments

The spammer blog posted about bypassing XSS Auditor, a tool built-in Chrome and IE and enabled by default to prevent XSS attacks or just doing some weird things to your page. XSS Auditor could be easily bypassed using an anchor or iframe and overall its detection schema seems to be very limited :

It is also a very limited XSS filter not supporting detection of script based attacks (very common). Another thing I noticed is it doesn’t actually detect attacks either it simply flags a valid attack based on a character

You can inject a anchor with a javascript url if the injection occurs next to an existing anchor element these are accounted for by the filter by trying to detect if the is a & or forward slash etc. They tried to cover all js comment but forgot two things, first ––> is a single line comment in javascript and the paragraph/line separators can activate it just like a new line since it needs to start on it’s own line to work on Chrome.

XSS Auditor might have a strange behavior to remove certain scripts from your page, so you might use Egor script to get a notification once a XSS Auditor removed any injected code.

Leave a Comment