There is a bug in the anti-cross site scripting filter in Chrome and Safari that enables an attacker to bypass the filter in some cases and use an XSS flaw on a given site to compromise visitors’s machines. The vulnerability is fairly simple to exploit and a researcher has posted proof-of-concept code.
The vulnerability lies in the way that anti-XSS filters handle a specific attribute in IFRAME tags. These filters are designed to prevent attackers from being able to use XSS flaws on vulnerable Web sites in order to run malicious injected code in users’ browsers. Exploiting this flaw allows the attacker to bypass the filter and run his injected code.
“This bug is based on a misuse of srcdoc attribute of IFRAME tag, included in HTML5 definition. To perform an XSS attack on Google Chrome Browser or Safari using this bug, the website must include an IFRAME and must be able to read any attribute of this element from HTTP parameters (GET/POST) without applying any charset filter. Then, in the IFRAME parameter, the srcdoc attribute may be included with JavaScript code. The browser cannot filter it and will be executed,” Ioseba Palop from Eleven Paths wrote in an advisory.
Palop said he informed Google of the vulnerability in Chrome back in October and the company developed a fix a couple of days later. The patch landed in the stable Chrome channel in the recent release of version 32. He said that the vulnerability still exists in Safari on Mac and iPhone, however. Eleven Paths contacted Apple about the flaw, but the company said it is still working on the issue.
“They confirmed our email, and told us they were working on it. And seems that they still are, since the program is still vulnerable. Everytime we have tried to contact back with them again, they reply back telling there is no news, but they are working on it,” the company blog post said.
Robert Hansen, a security researcher and director of product management at WhiteHat Security, said the attack could be a problem, although it’s not the most common XSS attack scenario.
“The attack does rely on being injected into an existing iframe tag. That does happen, but it somewhat rare compared to the more common HTML or parameter injection variants and is often also coupled to a “content spoofing” exploit as well as defined by WASC. Generally speaking people who use iframes should be wary of accepting user input to dictate the location of the frame and sanitizing input is always a good idea,” Hansen said.
Image from Flickr photos of Tiger Girl.