Webkit’s XSS Auditor explained and current exploits

Webkit is a open source browser engine used by Safari and Chrome. To prevent cross site scripting attacks (number 3 in this years in the security vulnerabilities list of OWASP), Webkit filters all the web traffic with a auditor.

This auditor, called the XSS auditor, can be looked up online: https://github.com/WebKit/webkit/blob/master/Source/WebCore/html/parser/XSSAuditor.cpp

What does it do?
It prevents cross site scripting (XSS) by replacing malicious scripts with an empty script, so ” <script> </script> “.

As an example, we have our insecure web application.
Schermafbeelding 2013-06-16 om 19.29.15

Which has a simple input value:
Schermafbeelding 2013-06-16 om 19.29.23

When inserted a malicious XSS value into a input field, like ” /><script>pay /* test */ &;lt/script></br ”
Schermafbeelding 2013-06-16 om 19.29.40

Then we see that after submitting the page, the malicious script has been removed.
Schermafbeelding 2013-06-16 om 19.29.59

But wait! There are exploits.
It is good to know that the auditor doesn’t reflect all possible output contexts, like in JSP:

<script type="text/javascript">
    var a = "<%= request.getParameter("a") %>";
    document.write("<text>Welcome "+ a + "</text>");
</script>

When this code is called as follows in our insecure web application

http://localhost:8081/insecure-web/noHtmlEscaping?a=2%22;%20alert(document.cookie);%20var%20a=%221

Then we get to see our session cookie!
Schermafbeelding 2013-06-16 om 19.41.02