uxssDB.md

UXSS recorded vulnerabilities

This file contains the list of CVE vulnerabilities that we studied during the term project.

Chrome:

Browser:

• CVE-2017-5069: https://bugs.chromium.org/p/chromium/issues/detail?id=667079 -- Use of the XSS auditor blocking mode to leak information
• CVE-2017-5045: https://bugs.chromium.org/p/chromium/issues/detail?id=667079
• CVE-2017-5018: https://bugs.chromium.org/p/chromium/issues/detail?id=668665 -- Vulnerability in chrome://apps: It happens when this page is open in a tab, and a malicious page is open in another one. The drag and drop to the area with the app tiles results in that malicious page can be use in an unsafe way and be assign to the innerHTML parameter of an active document element. Since the apps page has no CSP to mitigate it, this can allow the use of NTP APIs such as: Enumerating the browsing history through favicons, Querying who is signed in in Chrome, Opening restricted URLs (including URLs that normally requires the user to manually type the URL, e.g. chrome://kill), Disabling extensions, Launching apps, Filling the preferences database with junk (AppLauncherHandler::HandleSaveAppPageName does not validate the bounds on the parameters)
• CVE-2017-5010: https://bugs.chromium.org/p/chromium/issues/detail?id=663476 -- Vulnerability when link element is removed from its parent when linked to the last pending stylesheet: When a stylesheet happens to be the last pending one in the document and that a link element is aware of its removal, this can result on fragment anchor and then layout updates which are forbidden. Tthe updates may end up resolving a FontFace load promise, which allows an attacker to bypass the ScriptForbiddenScope and corrupt the DOM tree. The parent function may also endup firing a focus event that runs arbitrary code.
• CVE-2017-2479: https://www.exploit-db.com/exploits/41866/ -- Vulnerability in WebKit/Blink
• CVE-2017-5008: https://bugs.chromium.org/p/chromium/issues/detail?id=668552
• CVE-2017-5007: https://bugs.chromium.org/p/chromium/issues/detail?id=671102
• CVE-2017-5020: https://bugs.chromium.org/p/chromium/issues/detail?id=668653&desc=2
• CVE-2017-5018: https://bugs.chromium.org/p/chromium/issues/detail?id=668665
• CVE-2017-5010: https://bugs.chromium.org/p/chromium/issues/detail?id=663476
• CVE-2017-5008: https://bugs.chromium.org/p/chromium/issues/detail?id=668552 -- Vulnerability in WebKit/Blink
• CVE-2017-5007: https://bugs.chromium.org/p/chromium/issues/detail?id=671102 -- Vulnerability in WebKit/Blink
• CVE-2017-5006: https://bugs.chromium.org/p/chromium/issues/detail?id=673170 -- Vulnerability in WebKit/Blink
• CVE-2016-5226: https://bugs.chromium.org/p/chromium/issues/detail?id=639750 -- XSS using Dropjacking -- Because of JS, selected character is replaced with javascript:alert(1) therefore XSS occurs. This only happens in Chrome. See below video for better understanding. -- The idea here is to drag and drop a text from one tab to another and replace the actual text by some malicious javascript that will be executed in the context of the victim's domain
• CVE-2016-5208: https://bugs.chromium.org/p/chromium/issues/detail?id=658535 -- Vulnerability in WebKit/Blink
• CVE-2016-5207: https://bugs.chromium.org/p/chromium/issues/detail?id=655904 -- Vulnerability in WebKit/Blink
• CVE-2016-5204: https://bugs.chromium.org/p/chromium/issues/detail?id=630870 -- Vulnerability in WebKit/Blink
• CVE-2016-5191: https://bugs.chromium.org/p/chromium/issues/detail?id=639126 -- UXSS introduced through bookmark containing user information -- The idea here is to craft a malicious URL and trick the user so that he bookmarks it. Then, the malicious URL which contains some JS code, is going to lead to the execution of the malicious JS in the context of whichever domain is currently loaded in the active tab.
• CVE-2016-5181: http://www.cvedetails.com/cve/CVE-2016-5181/ -- Vulnerability in WebKit/Blink
• CVE-2016-5165: https://bugs.chromium.org/p/chromium/issues/detail?id=618037 -- Devtools old remote frontend allows running privileged scripts via overwriting localStorage settings -- Attacker can run arbitrary javascript code via watchExpression that runs in the context of the website when DevTools is launched.
• CVE-2016-5164: http://www.cvedetails.com/cve/CVE-2016-5164/ -- Vulnerability in WebKit/Blink
• CVE-2016-5148: http://www.cvedetails.com/cve/CVE-2016-5148/ -- Vulnerability in WebKit/Blink
• CVE-2016-5147: http://www.cvedetails.com/cve/CVE-2016-5147/ -- Vulnerability in WebKit/Blink
• CVE-2015-1286: http://www.cvedetails.com/cve/CVE-2015-1286/ -- Vulnerability in WebKit/Blink
• CVE-2015-1285: http://www.cvedetails.com/cve/CVE-2015-1285/ -- Vulnerability in WebKit/Blink
• CVE-2015-1264: https://bugs.chromium.org/p/chromium/issues/detail?id=481015 -- XSS in the bookmark button
• CVE-2014-3197: https://bugs.chromium.org/p/chromium/issues/detail?id=396544 -- XSS filter information leak -- The idea here is to try to guess a secret that is on a victim's page by writing a malicious script after a anchor in the URL and see whether the XSS Filters reacted.
• CVE-2014-1747: https://bugs.chromium.org/p/chromium/issues/detail?id=330663 -- UXSS from a local MHTML file
• CVE-2014-1701: https://bugs.chromium.org/p/chromium/issues/detail?id=342618 -- UXSS via dispatchEvent on iframes -- The problem here is that the attacker was able to call "dispatchEvent" on iframe.contentWindow. (Note: DispatchEvent enables to "trigger" an event). In this case, some conditions had to be met for the attack to be successful (such has event handlers returning DOM nodes and so on). In such conditions, an attacker was able to trigger some events and recover the DOM nodes especially the "document" node, which enables to access any part of the embedded page.
• CVE-2013-2849: https://bugs.chromium.org/p/chromium/issues/detail?id=171392 -- Cross-Origin copy&paste / drag&drop allowing XSS -- D&D/C&P black-list doesn't cover srcdoc.
• CVE-2013-2848: https://bugs.chromium.org/p/chromium/issues/detail?id=176137 -- Some sensitive data extraction can be made using the XSS auditor with X-XSS-Protection using block mode. More details on the XSS Auditor on http://homakov.blogspot.kr/2013/02/hacking-with-xss-auditor.html
• CVE-2013-0909: https://bugs.chromium.org/p/chromium/issues/detail?id=173906 -- Document.referrer leakage with XSS Auditor page block. See http://homakov.blogspot.kr/2013/02/hacking-with-xss-auditor.html
• CVE-2010-1236: https://bugs.chromium.org/p/chromium/issues/detail?id=37383 -- javascript: url with a leading NULL byte can bypass cross origin protection.
• CVE-2009-3264: https://bugs.chromium.org/p/chromium/issues/detail?id=21338 -- Same Origin Policy Bypass via getSVGDocument() method.
• CVE-2009-1414: https://bugs.chromium.org/p/chromium/issues/detail?id=9860 -- ChromeHTML URI handler vulnerability

Extension based vulnerabilities

• CVE-2011-2107: http://www.adobe.com/support/security/bulletins/apsb11-13.html -- Flash Player Flaw. This was an important vulnerability that allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, when victim visits malicious website.
• CVE-2017-5020: https://bugs.chromium.org/p/chromium/issues/detail?id=668653&desc=2 -- chrome://downloads vulnerability that allows a malicious extension to run a program without user interaction: When the victim installs or upgrades a malicious extension, the XSS is perform on chrome://downloads by setting the extension name in the innerHTML assignment. This with the bypassing of CSP and safe browsing, will allow when the user click to run a program outside of chrome, the extension to run arbitrary code NS

Safari

• http://blog.elevenpaths.com/2014/01/how-to-bypass-antixss-filter-in-chrome.html

Edge/IE

Browser

• https://www.brokenbrowser.com/sop-bypass-uxss-tweeting-like-charles-darwin/
• https://www.brokenbrowser.com/sop-bypass-uxss-stealing-credentials-pretty-fast/
• https://www.brokenbrowser.com/sop-bypass-abusing-read-protocol/
• https://www.brokenbrowser.com/uxss-edge-domainless-world/
• https://blog.innerht.ml/ie-uxss/ -- Freeze the browser using alert box or synchronous AJAX call (use XMLHTTPRequest.open() with false as 3rd parameter: synchronous call). The goal here is to achieve thread blocking. Before redirecting to target resource, script execution does not break SOP because redirect.php is still on the same origin of the attacker's. However, once the target resource finished loading on frame 1, Internet Explorer will update the origin information accordingly. As a result, the previous script execution will suddenly be executed on the targets' origin. As a side note, the attack has to be done using two frames because Internet Explorer will remove all the object references once navigation occurs. The suggested fix would be either terminate the script execution or remain the origin information when navigation occurs. More details about this attack: http://danielebellavista.blogspot.kr/2015/02/uxss-multiple-targets-poc-cve-2015-0072.html
• CVE-2008-1082: https://www.cvedetails.com/cve/CVE-2008-1082/
• CVE-2016-3273: https://tools.cisco.com/security/center/viewAlert.x?alertId=46919 -- Vulnerability is due to improper validation of user-supplied input by the XSS filtering feature of the affected software.
• http://p42.us/ie8xss/Abusing_IE8s_XSS_Filters.pdf -- Abusing Internet Explorer 8's XSS Filters

Extension based vulnerabilities

• https://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf -- Vulnerability in the Adobe Acrobat extension for Internet Explorer 6 (or Mozilla plugin)

Mozilla Firefox

• CVE-2016-5262: https://bugzilla.mozilla.org/show_bug.cgi?id=1277475 -- XSS out of iframe sandbox, iframe disabled javascript. marquee
• CVE-2015-7188: https://bugzilla.mozilla.org/show_bug.cgi?id=1199430 -- White-spaces in host IP address, leading to same origin policy bypass
• CVE-2015-7187: https://bugzilla.mozilla.org/show_bug.cgi?id=1195735 -- To disable JS, set { script: false } when creating the panel, but inline JS is still executing (POC: create a browser extension)
• CVE-2014-1530: https://bugzilla.mozilla.org/show_bug.cgi?id=895557 -- It's possible to set a document's URI to a different document's URI by confusing docshell
• CVE-2014-1504: https://bugzilla.mozilla.org/show_bug.cgi?id=911547 -- data-URI + Firefox restart = CSP bypass. This attack scenario uses the fact that some part of the context is saved by the Browser when the Browser is restarted. Such context save might be used to bypass CSP
• CVE-2013-5612: https://bugzilla.mozilla.org/show_bug.cgi?id=871161 -- Potential XSS with cross-domain (cross-origin) inheritance of charset
• CVE-2013-1714: https://bugzilla.mozilla.org/show_bug.cgi?id=879787 -- Cross Domain Policy override using webworkers. Web Workers make it possible to run a script operation in background thread separate from the main execution thread of a web application. The advantage of this is that laborious processing can be performed in a separate thread, allowing the main (usually the UI) thread to run without being blocked/slowed down.
• CVE-2013-1713: https://bugzilla.mozilla.org/show_bug.cgi?id=887098 -- InstallTrigger can use the wrong principal when validating URI loads. Components/Extensions implementing their own security checks can potentially allow unsafe actions to be performed from content.
• CVE-2013-1709: https://bugzilla.mozilla.org/show_bug.cgi?id=848253 -- It's possible to set a document's URI to a different document's URI. An attacker can create a fake login page whose URI is a real login page's URI. And, if a password for the real login page was already saved in the Password Manager, an attacker can steal the password without user interaction. An attacker can inject scripts into a page that uses external scripts with relative URLs.
• CVE-2013-1670: https://bugzilla.mozilla.org/show_bug.cgi?id=853709 -- Its possible to call a content level constructor as if from a chrome/privileged page
• CVE-2013-0793: https://bugzilla.mozilla.org/show_bug.cgi?id=803870 -- XSS using timed document navigations. Hash navigation appears to confuse the browser to adopt the same BFCache and/or share a history entry between the 2 adjacent, cross-origin pages
• CVE-2012-5841: https://bugzilla.mozilla.org/show_bug.cgi?id=805807 -- Filtering wrapper should filter setters when returning a property descriptor
• CVE-2012-5837: https://bugzilla.mozilla.org/show_bug.cgi?id=800363 -- XSS in Web Developer Toolbar's chrome privilege page. JS payloads entered in the developer toolbar (specialy crafted payloads) are ran in the context of chrome:// URI. This means JavaScript is run as chrome privilege. The attack shows that one could trigger the run of an executable on windows using this technique.
• CVE-2012-4209: https://bugzilla.mozilla.org/show_bug.cgi?id=792405 -- Frames can shadow |top|. It is possible to shadow |top| with a frame whose name attribute's value is set to "top". As a result, plugins accessing top.location, such as Adobe Flash Player, may read an arbitrary URL.
• CVE-2012-4194: https://bugzilla.mozilla.org/show_bug.cgi?id=800666 -- Location can be spoofed using |valueOf|. When an object is joined with a string, its |valueOf| method is called before |toString|, and content can redefine the former.
• CVE-2012-3994: https://bugzilla.mozilla.org/show_bug.cgi?id=765527 -- Object.defineProperty can shadow |top|. Adobe Flash Player opens javascript:top.location+"flashplugin_unique" to determine the page origin. And it is possible to shadow |top| using Object.defineProperty.
• CVE-2012-3992: https://bugzilla.mozilla.org/show_bug.cgi?id=775009 -- History state error with late navigation involving a hash change. The trick here is to call history.forward and history.back in a rapid succession such that the targeted website loads into the session of the attacker. This allows the attacker to inject a script loaded from relative path and lead to XSS vulnerability. This seemed to be a problem dealing with channel that were not stopped.
• CVE-2012-3985: https://bugzilla.mozilla.org/show_bug.cgi?id=655649 -- Script access checks should use effective script origin, not origin. The HTML5 spec requires that browsers raise a SECURITY_ERR exception when members of the Window object (e.g. localStorage) are accessed by scripts that have a different effective script origin. Firefox allows access by scripts that have the same origin OR the same effective script origin. Factor of the vulnerability: Divergence from standard (laziness ?)
• CVE-2012-1966: https://bugzilla.mozilla.org/show_bug.cgi?id=734076 -- XSS with context menu. Perform an XSS attack using data: url
• CVE-2012-1965: https://bugzilla.mozilla.org/show_bug.cgi?id=758990 -- Don't allow feed: URLs with an innerURI that inherits the page's security context -- "feed:javascript:" URLs can be used to XSS sites that just blacklist "javascript:" and "data:" (feed: is used for RSS feed)
• CVE-2012-1956: https://bugzilla.mozilla.org/show_bug.cgi?id=756719 -- Object.defineProperty can shadow window.location. Once again, the attacker is able to shadow the "location" object.
• CVE-2012-1944: https://bugzilla.mozilla.org/show_bug.cgi?id=751422 -- execute even when inline scripts are blocked by CSP
• CVE-2012-0474: https://bugzilla.mozilla.org/show_bug.cgi?id=737307 -- universal XSS by confusing docshell with short-circuited loads. Using history.back/forward/back successively a foreign website can be loaded in another URL + javascript on that page then sends requests to the domain it was loaded into.
• CVE-2012-0455: https://bugzilla.mozilla.org/show_bug.cgi?id=704354 -- "DragAndDropJacking" (?) + javAscript: URL = XSS. Used the Drag and Drop HTML5 feature coupled with some exploit of the case sensitivity of "javascript" URL, to execute malicious code on behalf of a victim's page origin.
• CVE-2012-0446: https://bugzilla.mozilla.org/show_bug.cgi?id=705651 -- Frame scripts that access untrusted objects are exploitable

Opera

• CVE-2013-4705: https://www.cvedetails.com/cve/CVE-2013-4705/ -- Cross-site scripting (XSS) vulnerability in Opera before 15.00 allows remote attackers to inject arbitrary web script or HTML by leveraging UTF-8 encoding.
• CVE-2012-6464: http://www.opera.com/fr/security/advisory/1032 -- Cross domain access to object constructors can be used to facilitate cross-site scripting -- JavaScripts are able to redefine and override the methods of native objects. They may also do this with the native objects of any document that shares the same origin. By redefining the methods of another document through the constructor property of the document's host objects, a malicious script can cause Opera to override methods of native objects in documents from different origins. When scripts in those target documents then access those methods, they run the scripts defined by the malicious document, in the context of the target site. This allows cross-site scripting (XSS) attacks.
• CVE-2012-6463: http://www.opera.com/fr/security/advisory/1031 -- Data URIs can be used to facilitate Cross-Site Scripting. Data URIs are only supposed to inherit the scripting origin from the site that creates them, such as by including them as the target of a link or an inline frame in the source of the document. Specific sequences of document and data URI loading can cause Opera to forget which document created the data URI, and to allow the data URI document to inherit the scripting origin of a target page instead. The data URI document would then be allowed to interact with the target page, instead of the document that created it, resulting in cross-site scripting (XSS).
• CVE-2012-4144: http://www.opera.com/fr/security/advisory/1025 -- Element HTML content can be incorrectly returned without escaping, bypassing some HTML sanitizers -- When sites accept HTML from untrusted users, and use that HTML as page content, they typically sanitize the untrusted HTML to ensure that it does not contain any harmful content, such as malicious scripts. In some cases, this sanitization may be performed by writing and reading the contents of DOM elements. In certain situations, Opera may return the HTML contents of an element without correctly escaping all of the characters that denote HTML markup, allowing them to fool the sanitizer, so that they are subsequently interpreted as markup after being inserted into the page. This can then be used to facilitate cross-site scripting (XSS) attacks against Opera, without being detected by a sanitizer.
• CVE-2012-4142: http://www.opera.com/fr/security/advisory/1026 -- Certain characters in HTML can incorrectly be ignored, which can facilitate XSS attacks -- Sites that allow content to be provided by untrusted users, such as forums and blogging sites, typically sanitize the untrusted content to ensure that it does not contain any harmful content, such as malicious scripts. When certain characters appear at specific locations within HTML markup, they can cause Opera to ignore either that character, or the one following it, potentially altering the interpretation of the following markup. This can be used to facilitate cross-site scripting (XSS) attacks against Opera, without being detected by a sanitizer.
• CVE-2012-3556: http://www.opera.com/fr/security/advisory/1020 -- A combination of clicks and key presses can lead to cross site scripting or code execution -- Some sort of clickjacking: When a user double clicks on a page, they may expect the two clicks to target the same object. If a page uses the first click to open a pop-up window in a predictable location, the second click may focus parts of the new window, such as its address field. If the page can then convince the user to activate a scripted URL seeded in the address field, on a newly loaded target page within the pop-up, it can allow cross site scripting against the target page. Similar attacks could also be used against Opera's preferences to change preferences or select executables to be run by Opera. Non-trivial social engineering would be required to ensure that the user followed the desired sequence of clicks and keypresses, at precisely the right speed, while ignoring the opening and loading of pages within the pop-up.
• CVE-2012-3555: http://www.opera.com/fr/security/advisory/1021 -- Hidden keyboard navigation can allow cross site scripting or code execution. Some sort of clickjacking: When a user is interacting with a window, that window should be visible to the user, to ensure that the user realizes it is there. If a page is displayed in a small enough window, the user may not realize it is being displayed, and if the right keyboard sequence is carefully followed, they can end up performing undesirable actions on that page. Similar attacks could also be used against Opera's preferences to change preferences or select executables to be run by Opera. Additional social engineering steps are needed to ensure that the user presses the correct key sequence, without being able to show any relevant visual feedback, as the page cannot see that the keys are being pressed.
• CVE-2011-2609: http://www.opera.com/fr/security/advisory/995 -- Data URIs may be used to initiate cross site scripting against unrelated sites. Data URIs are supposed to inherit the security context from the page that created them. In some cases, Opera does not enforce this correctly, and will allow unrelated data URIs to interact both with each other, and their source pages. This can be used to enable cross site scripting against the target site, if the target site has some appropriate markup that allows it to be targeted.
• CVE-2010-4047: http://www.opera.com/fr/security/advisory/976 -- JavaScript might run in the wrong context if loaded from error page. If Opera is sent to an invalid URL, an error page will be displayed along with a link to the URL. The URL linked to might run scripts, and in some cases these scripts might be run in the wrong security context. This can be used to execute scripts in the context of an unrelated domain, which allows cross-site scripting. To exploit this vulnerability, an attacker must get the user to interact with a specially crafted error page.
• CVE-2010-4045: http://www.opera.com/fr/security/advisory/973 -- Reloads and redirects can allow spoofing and cross site scripting. Scripts on a page are supposed to be restricted so that they can only interact with other pages from the same domain and security context. Carefully timed reloads and redirects, when combined with appropriate caching, can cause scripts to execute in the wrong security context in Opera. This allows cross site scripting (XSS). In some cases, the address bar will also show the address of the target page. With minimal user interaction, this particular XSS vector may also be used to modify Opera's configuration, and this may in turn be used to execute arbitrary code on the computer.
• CVE-2010-2665: http://www.opera.com/fr/security/advisory/955 -- Data URIs can be used to allow cross-site scripting. Data URIs are allowed to run scripts that manipulate pages from the site that directly opened them. In some cases, the opening site is not correctly detected. In these cases, Data URIs may erroneously be able to run scripts so that they interact with sites that did not directly cause them to be opened.
• CVE-2009-4071: http://www.opera.com/fr/security/advisory/941 -- Error messages can leak onto unrelated sites. Scripting error messages are normally available only to the page that caused the error. In some cases, the error messages could be passed to other sites as the contents of unrelated variables, and may contain sensitive information. If those sites write the content into the page markup, this could allow cross-site scripting, using code provided by the attacking site. This issue only affects installations that have enabled stacktraces for exceptions, these are disabled by default.
• CVE-2009-3266: http://www.opera.com/fr/security/advisory/939 -- Opera may allow scripts to access feeds. Opera may allow scripts to run on the feed subscription page, thereby gaining access to the feeds object. This can be used for automatic subscription of feeds, or reading other feeds.
• CVE-2009-3013: http://websecurity.com.ua/3386/ -- Cross-Site Scripting attacks via redirectors. XSS attack via refresh-header redirectors. Attack is doing by redirecting to javascript: URI.
• CVE-2008-5682: http://www.opera.com/fr/security/advisory/924 -- Built-in XSLT templates can allow cross-site scripting. Built-in XSLT templates incorrectly handle escaped content and can cause it to be treated as markup. If a site accepts content from untrusted users, which it then displays using XSLT as escaped strings, this can allow scripted markup to be injected. The scripts will then be executed in the security context of that site. NOTE: XSL (eXtensible Stylesheet Language) is a styling language for XML.
• CVE-2008-1082: https://www.cvedetails.com/cve/CVE-2008-1082/ -- "bypass sanitization filters" and conduct cross-site scripting (XSS) attacks via crafted attribute values in an XML document, which are not properly handled during DOM presentation.