CVE Vulnerabilities

CVE-2010-1236

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Published: Apr 01, 2010 | Modified: Sep 19, 2017
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
4.3 MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu

The protocolIs function in platform/KURLGoogle.cpp in WebCore in WebKit before r55822, as used in Google Chrome before 4.1.249.1036 and Flock Browser 3.x before 3.0.0.4112, does not properly handle whitespace at the beginning of a URL, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted javascript: URL, as demonstrated by a x00javascript:alert sequence.

Weakness

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Affected Software

Name Vendor Start Version End Version
Chrome Google 4.0.267.0 4.0.267.0
Chrome Google 4.0.248.0 4.0.248.0
Chrome Google 4.0.249.5 4.0.249.5
Chrome Google 4.0.249.46 4.0.249.46
Chrome Google 4.1.249.1017 4.1.249.1017
Chrome Google 4.0.249.74 4.0.249.74
Chrome Google 2.0.172.8 2.0.172.8
Chrome Google 4.0.249.69 4.0.249.69
Chrome Google 4.0.249.25 4.0.249.25
Chrome Google 3.0.182.2 3.0.182.2
Chrome Google 4.0.222.5 4.0.222.5
Chrome Google 4.0.249.53 4.0.249.53
Chrome Google 4.1.249.1001 4.1.249.1001
Chrome Google 4.0.249.40 4.0.249.40
Chrome Google 4.0.256.0 4.0.256.0
Chrome Google 4.0.245.0 4.0.245.0
Chrome Google 4.0.259.0 4.0.259.0
Chrome Google 4.0.249.14 4.0.249.14
Chrome Google 4.1.249.1011 4.1.249.1011
Chrome Google 4.0.249.12 4.0.249.12
Chrome Google 4.1.249.1022 4.1.249.1022
Chrome Google 4.0.249.1 4.0.249.1
Chrome Google 4.1.249.1027 4.1.249.1027
Chrome Google 3.0.195.38 3.0.195.38
Chrome Google 4.0.249.10 4.0.249.10
Chrome Google 4.0.251.0 4.0.251.0
Chrome Google 4.0.255.0 4.0.255.0
Chrome Google 4.0.249.20 4.0.249.20
Chrome Google 2.0.172.38 2.0.172.38
Chrome Google 1.0.154.59 1.0.154.59
Chrome Google 4.0.287.0 4.0.287.0
Chrome Google 4.0.302.2 4.0.302.2
Chrome Google 4.0.275.0 4.0.275.0
Chrome Google 4.1.249.1008 4.1.249.1008
Chrome Google 4.0.249.52 4.0.249.52
Chrome Google 4.0.249.11 4.0.249.11
Chrome Google 4.0.249.35 4.0.249.35
Chrome Google 4.0.295.0 4.0.295.0
Chrome Google 1.0.154.53 1.0.154.53
Chrome Google 4.0.229.1 4.0.229.1
Chrome Google 4.0.249.39 4.0.249.39
Chrome Google 2.0.170.0 2.0.170.0
Chrome Google 4.0.266.0 4.0.266.0
Chrome Google 4.0.212.0 4.0.212.0
Chrome Google 4.0.249.21 4.0.249.21
Chrome Google 4.0.237.1 4.0.237.1
Chrome Google 4.0.247.0 4.0.247.0
Chrome Google 4.1.249.1019 4.1.249.1019
Chrome Google 4.0.223.5 4.0.223.5
Chrome Google 4.0.257.0 4.0.257.0
Chrome Google 4.1.249.1012 4.1.249.1012
Chrome Google 4.1.249.1006 4.1.249.1006
Chrome Google 4.0.261.0 4.0.261.0
Chrome Google 4.0.249.34 4.0.249.34
Chrome Google 4.0.237.0 4.0.237.0
Chrome Google 2.0.169.1 2.0.169.1
Chrome Google 4.0.249.38 4.0.249.38
Chrome Google 4.1.249.1014 4.1.249.1014
Chrome Google 4.0.301.0 4.0.301.0
Chrome Google 2.0.172.33 2.0.172.33
Chrome Google 4.0.249.36 4.0.249.36
Chrome Google 4.0.254.0 4.0.254.0
Chrome Google 4.0.243.0 4.0.243.0
Chrome Google 4.0.223.8 4.0.223.8
Chrome Google 4.1.249.1028 4.1.249.1028
Chrome Google 4.1.249.1007 4.1.249.1007
Chrome Google 4.0.302.3 4.0.302.3
Chrome Google 4.0.249.65 4.0.249.65
Chrome Google 4.0.249.55 4.0.249.55
Chrome Google 4.0.222.0 4.0.222.0
Chrome Google 4.0.250.2 4.0.250.2
Chrome Google 4.0.239.0 4.0.239.0
Chrome Google 3.0.195.33 3.0.195.33
Chrome Google 4.0.300.0 4.0.300.0
Chrome Google 4.0.249.45 4.0.249.45
Chrome Google 4.1.249.1009 4.1.249.1009
Chrome Google 4.1.249.1018 4.1.249.1018
Chrome Google 4.0.288.0 4.0.288.0
Chrome Google 2.0.172.27 2.0.172.27
Chrome Google 4.0.264.0 4.0.264.0
Chrome Google 4.0.249.80 4.0.249.80
Chrome Google 4.0.290.0 4.0.290.0
Chrome Google 4.0.240.0 4.0.240.0
Chrome Google 4.1.249.1034 4.1.249.1034
Chrome Google 4.0.236.0 4.0.236.0
Chrome Google 4.0.249.29 4.0.249.29
Chrome Google 4.0.278.0 4.0.278.0
Chrome Google 1.0.154.65 1.0.154.65
Chrome Google 4.0.249.62 4.0.249.62
Chrome Google 4.1.249.0 4.1.249.0
Chrome Google 4.0.265.0 4.0.265.0
Chrome Google 4.0.249.31 4.0.249.31
Chrome Google 4.0.245.1 4.0.245.1
Chrome Google 4.1.249.1029 4.1.249.1029
Chrome Google 4.0.223.0 4.0.223.0
Chrome Google 4.0.263.0 4.0.263.0
Chrome Google * 4.1.249.1035
Chrome Google 4.0.249.75 4.0.249.75
Chrome Google 0.1.38.4 0.1.38.4
Chrome Google 4.0.249.4 4.0.249.4
Chrome Google 4.0.242.0 4.0.242.0
Chrome Google 4.0.249.44 4.0.249.44
Chrome Google 4.0.249.9 4.0.249.9
Chrome Google 4.0.249.50 4.0.249.50
Chrome Google 3.0.195.27 3.0.195.27
Chrome Google 4.0.249.43 4.0.249.43
Chrome Google 4.0.249.16 4.0.249.16
Chrome Google 4.0.275.1 4.0.275.1
Chrome Google 4.0.249.72 4.0.249.72
Chrome Google 4.0.249.18 4.0.249.18
Chrome Google 4.0.249.28 4.0.249.28
Chrome Google 4.0.249.33 4.0.249.33
Chrome Google 3.0.195.25 3.0.195.25
Chrome Google 4.0.249.58 4.0.249.58
Chrome Google 4.0.302.0 4.0.302.0
Chrome Google 4.0.299.0 4.0.299.0
Chrome Google 4.0.223.1 4.0.223.1
Chrome Google 4.1.249.1025 4.1.249.1025
Chrome Google 4.1.249.1010 4.1.249.1010
Chrome Google 4.0.249.49 4.0.249.49
Chrome Google 4.0.249.66 4.0.249.66
Chrome Google 4.0.249.59 4.0.249.59
Chrome Google 4.0.249.68 4.0.249.68
Chrome Google 4.1.249.1026 4.1.249.1026
Chrome Google 4.0.249.23 4.0.249.23
Chrome Google 4.1.249.1024 4.1.249.1024
Chrome Google 3.0.195.36 3.0.195.36
Chrome Google 4.0.249.63 4.0.249.63
Chrome Google 4.1.249.1031 4.1.249.1031
Chrome Google 4.0.222.12 4.0.222.12
Chrome Google 4.0.250.0 4.0.250.0
Chrome Google 4.0.223.2 4.0.223.2
Chrome Google 2.0.172.2 2.0.172.2
Chrome Google 4.0.305.0 4.0.305.0
Chrome Google 4.1.249.1032 4.1.249.1032
Chrome Google 4.0.249.60 4.0.249.60
Chrome Google 4.0.292.0 4.0.292.0
Chrome Google 4.0.269.0 4.0.269.0
Chrome Google 4.1.249.1004 4.1.249.1004
Chrome Google 4.0.249.78 4.0.249.78
Chrome Google 4.0.249.6 4.0.249.6
Chrome Google 1.0.154.64 1.0.154.64
Chrome Google 4.0.260.0 4.0.260.0
Chrome Google 4.0.304.0 4.0.304.0
Chrome Google 4.0.249.81 4.0.249.81
Chrome Google 4.0.249.76 4.0.249.76
Chrome Google 2.0.169.0 2.0.169.0
Chrome Google 4.0.212.1 4.0.212.1
Chrome Google 0.1.38.1 0.1.38.1
Chrome Google 4.0.272.0 4.0.272.0
Chrome Google 4.0.249.7 4.0.249.7
Chrome Google 4.0.241.0 4.0.241.0
Chrome Google 0.1.40.1 0.1.40.1
Chrome Google 4.0.249.32 4.0.249.32
Chrome Google 4.0.249.8 4.0.249.8
Chrome Google 4.0.249.48 4.0.249.48
Chrome Google 2.0.172.30 2.0.172.30
Chrome Google 0.1.42.3 0.1.42.3
Chrome Google 4.0.244.0 4.0.244.0
Chrome Google 4.0.249.0 4.0.249.0
Chrome Google 4.0.223.7 4.0.223.7
Chrome Google 4.1.249.1033 4.1.249.1033
Chrome Google 4.0.252.0 4.0.252.0
Chrome Google 4.0.249.82 4.0.249.82
Chrome Google 4.0.249.26 4.0.249.26
Chrome Google 4.0.249.70 4.0.249.70
Chrome Google 4.0.294.0 4.0.294.0
Chrome Google 4.0.249.71 4.0.249.71
Chrome Google 4.0.249.54 4.0.249.54
Chrome Google 4.1.249.1030 4.1.249.1030
Chrome Google 4.0.249.37 4.0.249.37
Chrome Google 4.0.223.9 4.0.223.9
Chrome Google 4.0.249.22 4.0.249.22
Chrome Google 4.0.246.0 4.0.246.0
Chrome Google 4.1.249.1016 4.1.249.1016
Chrome Google 4.0.224.0 4.0.224.0
Chrome Google 0.1.42.2 0.1.42.2
Chrome Google 4.0.249.57 4.0.249.57
Chrome Google 3.0.190.2 3.0.190.2
Chrome Google 4.0.249.89 4.0.249.89
Chrome Google 4.0.271.0 4.0.271.0
Chrome Google 4.0.268.0 4.0.268.0
Chrome Google 4.0.249.41 4.0.249.41
Chrome Google 4.0.249.2 4.0.249.2
Chrome Google 4.0.235.0 4.0.235.0
Chrome Google 4.0.249.30 4.0.249.30
Chrome Google 4.0.289.0 4.0.289.0
Chrome Google 4.0.296.0 4.0.296.0
Chrome Google 4.0.249.47 4.0.249.47
Chrome Google 4.1.249.1023 4.1.249.1023
Chrome Google 4.0.249.73 4.0.249.73
Chrome Google 4.0.258.0 4.0.258.0
Chrome Google 4.0.223.4 4.0.223.4
Chrome Google 4.0.249.17 4.0.249.17
Chrome Google 4.0.249.61 4.0.249.61
Chrome Google 4.0.277.0 4.0.277.0
Chrome Google 4.0.249.64 4.0.249.64
Chrome Google 4.0.249.77 4.0.249.77
Chrome Google 4.0.286.0 4.0.286.0
Chrome Google 2.0.172.28 2.0.172.28
Chrome Google 4.0.249.42 4.0.249.42
Chrome Google 4.0.249.3 4.0.249.3
Chrome Google 4.0.262.0 4.0.262.0
Chrome Google 4.0.249.19 4.0.249.19
Chrome Google 4.0.249.24 4.0.249.24
Chrome Google 4.0.249.56 4.0.249.56
Chrome Google 0.1.38.2 0.1.38.2
Chrome Google 4.0.249.27 4.0.249.27
Chrome Google 4.0.249.78 4.0.249.78
Chrome Google 4.0.302.1 4.0.302.1
Chrome Google 4.0.276.0 4.0.276.0
Chrome Google 4.1.249.1020 4.1.249.1020
Chrome Google 4.0.249.67 4.0.249.67
Chrome Google 2.0.172.37 2.0.172.37
Chrome Google 3.0.195.37 3.0.195.37
Chrome Google 4.0.288.1 4.0.288.1
Chrome Google 4.0.303.0 4.0.303.0
Chrome Google 4.0.222.1 4.0.222.1
Chrome Google 4.1.249.1015 4.1.249.1015
Chrome Google 4.0.221.8 4.0.221.8
Chrome Google 4.0.249.51 4.0.249.51
Chrome Google 4.1.249.1013 4.1.249.1013
Chrome Google 4.1.249.1021 4.1.249.1021
Chrome Google 4.0.249.79 4.0.249.79

Extended Description

Cross-site scripting (XSS) vulnerabilities occur when:

There are three main kinds of XSS:

Once the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim’s machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site. Phishing attacks could be used to emulate trusted web sites and trick the victim into entering a password, allowing the attacker to compromise the victim’s account on that web site. Finally, the script could exploit a vulnerability in the web browser itself possibly taking over the victim’s machine, sometimes referred to as “drive-by hacking.” In many cases, the attack can be launched without the victim even being aware of it. Even with careful users, attackers frequently use a variety of methods to encode the malicious portion of the attack, such as URL encoding or Unicode, so the request looks less suspicious.

Potential Mitigations

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

  • Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft’s Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.

  • Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

  • For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.

  • Parts of the same output document may require different encodings, which will vary depending on whether the output is in the:

  • etc. Note that HTML Entity Encoding is only appropriate for the HTML body.

  • Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed.

  • Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.

  • The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.

  • Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.

  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as “red” or “blue.”

  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code’s environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

  • When dynamically constructing web pages, use stringent allowlists that limit the character set based on the expected value of the parameter in the request. All input should be validated and cleansed, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. It is common to see data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.

  • Note that proper output encoding, escaping, and quoting is the most effective solution for preventing XSS, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent XSS, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, in a chat application, the heart emoticon ("<3") would likely pass the validation step, since it is commonly used. However, it cannot be directly inserted into the web page because it contains the “<” character, which would need to be escaped or otherwise handled. In this case, stripping the “<” might reduce the risk of XSS, but it would produce incorrect behavior because the emoticon would not be recorded. This might seem to be a minor inconvenience, but it would be more important in a mathematical forum that wants to represent inequalities.

  • Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address.

  • Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.

References