0x0Lab Blog Just another damn blog

8Jun/10Off

Bypassing Safari 5 XSS Auditor

Safari 5 was released today and following IE8's move they decided to implement what they call XSS Auditor.
According to the Safari 5 site:

XSS Auditor: Safari can filter potentially malicious scripts used in cross-site scripting (XSS) attacks.

Indeed Safari 5 does manage to block the usual "><script>alert(0)</script> javascript successfully:

However it took me just under a couple of minutes to discover that the following bypassed the filter just fine:

"><img src=aa onerror=alert(0)

(Notice I haven't closed the tag or used quotes).

Posted by cirrus

Filed under: MacOSX, Security Comments Off
Comments (7) Trackbacks (0)
  1. You know you’d think with all the various backgrounds and well just full-on developers involved in these kind of big releases, at least one would have thought to have checked up on things like this…. maybe even just look through any of the hundreds of resources regarding this attack like, heck, the 5+ year old directory of old xss hacks? http://ha.ckers.org/xss.html

    Are the ipad dev team co-working today with the safari teams?
    :)
    nice find, as far as i’ve seen you’re at least the first to report it.

  2. I’m seeing placeholders instead of screenshots.

  3. Why do you facilitate criminal mischief by giving hackers the keys to steal information and place malware on computers? You are a criminal

  4. @MacSmiley Should be ok now.

  5. @Police. That’s Oracle circa “Unbreakable” through to when they got a clue and figured out security defects came free of charge care of Oracle developers, not security researchers.

    Apple ignores or actively does not participate in OWASP or any other web application security group. There’s very little chance that they will get it right any time soon without peer review or expert assistance.

    I will happily retract that, but with the insane secrecy culture @ Apple, I really doubt they will ever get their security act together.

  6. @Police
    Do not comment on issues you do not fully comprehend.


No trackbacks yet.