[XSS] Fixed regression in invalid characters optimization causing false negatives (thanks Tsubasa for reporting).
This commit is contained in:
hackademix
parent
b9121e65ae
commit
2a30b265f1
|
|
@ -31,6 +31,8 @@ if (UA.isMozilla) {
|
|||
() => y("https://vulnerabledoma.in/char_test?body=%3Ca%20href=javascript%26colo%u0000n%3balert%281%u0029%3ECLICK"),
|
||||
() => y("https://vulnerabledoma.in/xss_link?url=javascript%26colo%00n%3Balert%u00281%29"),
|
||||
() => y("https://vulnerabledoma.in/xss_link?url=javascript:\\u{%0A6e}ame"),
|
||||
() => y("https://sandbox.hack.vet/issue/noscript/bypass/multibyte/?q=alert(document.cookie)//<"),
|
||||
() => y("https://sandbox.hack.vet/issue/noscript/bypass/multibyte/?q=/**🚫*/alert(document.cookie)"),
|
||||
].map(t => Test.run(t))
|
||||
);
|
||||
|
||||
|
|
|
|||
|
|
@ -530,7 +530,7 @@ XSS.InjectionChecker = (async () => {
|
|||
let value;
|
||||
try {
|
||||
// see https://mathiasbynens.be/notes/javascript-identifiers-es6#acceptable-unicode-symbols
|
||||
value = new RegExp(preamble + "[^$_\\p{ID_Start}\\p{ID_Continue}\\u200c\\u200d\\u2028\\u2029]", "u");
|
||||
value = new RegExp(preamble + "[^\\x00-\\x7E\\p{ID_Start}\\p{ID_Continue}\\u200c\\u200d\\u2028\\u2029]", "u");
|
||||
} catch (e) {
|
||||
// Unicode entities are not supported in Gecko <= 77
|
||||
value = new RegExp(preamble + `[${this._createInvalidRanges()}]`, "u");
|
||||
|
|
@ -665,13 +665,14 @@ XSS.InjectionChecker = (async () => {
|
|||
|
||||
lastExpr = expr;
|
||||
|
||||
if (invalidCharsRx && invalidCharsRx.test(expr)) {
|
||||
this.log("Quick skipping invalid chars");
|
||||
break;
|
||||
if (invalidCharsRx) {
|
||||
let m = invalidCharsRx.test(expr);
|
||||
if (m) {
|
||||
this.log(`Quick skipping invalid chars on ${expr}, (${JSON.stringify(m)}).`);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
if (quote) {
|
||||
if (this.checkNonTrivialJSSyntax(expr)) {
|
||||
this.log("Non-trivial JS inside quoted string detected", iterations);
|
||||
|
|
|
|||
Loading…
Reference in New Issue