This Presentation

• General approach
   
• Specific approach for Google Chrome
   
• Specific approach for Internet Explorer

Browser specific approach

• XSS Auditor have to minimize false positive
  • Otherwise it gets annoying to users and they disable it.
  • Otherwise website disable it to prevent their website from having issues.
     
• Browsers have some rule that will whitelist reflected content on specific condition.

Google Chrome

• "It's a friend"
   
  • Resources hosted on the same domain are never detected or blocked
    • Can load user content as script.
      • X-Content-Type-Options header must be not set.
    • Can load powerful library (ex.: angular.js) used elsewhere in the site.
    • Can load JavaScript with DOM based reflected content.
  • The only restriction is that the URL must not contain any GET parameter.

Internet Explorer

• "It's from a friend"
   
  • Internet Explorer never perform XSS detection from resources where "Referer" == domain of the requested URL
     
    • JavaScript based redirect
    • Clickable URL from user content
    • <iframe> URL that you can control
    • "Referer" spoofing vulnerability
      • http://www.brokenbrowser.com/referer-spoofing-defeating-xss-filter/
      • It's fixed :(

Exercices

• This presentation
  • https://slides.com/olivierarteau/xss-auditor-bypass/
     
• Exercices
  • http://xss.zhack.ca/hackfest/