基于chrome内核的UXSS

url with a leading NULL byte can bypass cross origin protection.
https://code.google.com/p/chromium/issues/detail?id=37383

Universal XSS in frame elements handling
https://code.google.com/p/chromium/issues/detail?id=143439

Pwnium UXSS variation        
https://code.google.com/p/chromium/issues/detail?id=117550            

UXSS with document.baseURI
https://code.google.com/p/chromium/issues/detail?id=90222

Universal XSS using widget updates in ContainerNode::parserRemoveChild        
https://bugs.chromium.org/p/chromium/issues/detail?id=560011

Security: Universal XSS using Flash message loop        
https://bugs.chromium.org/p/chromium/issues/detail?id=569496

Cross-origin access using window.execScript + code execution        
https://bugs.chromium.org/p/chromium/issues/detail?id=83096    

Universal XSS using contentWindow.eval        
https://bugs.chromium.org/p/chromium/issues/detail?id=83743

UXSS with empty SecurityOrigin    
https://bugs.chromium.org/p/chromium/issues/detail?id=89453    

UXSS / frame escape with window.open        
https://bugs.chromium.org/p/chromium/issues/detail?id=89520    

UXSS with document.baseURI
https://bugs.chromium.org/p/chromium/issues/detail?id=90222

Arbitrary cross-origin bypass using __defineGetter__ prototype override    
https://bugs.chromium.org/p/chromium/issues/detail?id=93416

UXSS using Object.getPrototypeOf
https://bugs.chromium.org/p/chromium/issues/detail?id=93759

Cross-origin access to window.__proto__
https://bugs.chromium.org/p/chromium/issues/detail?id=95671

UXSS and use-after-free when DOMWindow is accessed after navigation
https://bugs.chromium.org/p/chromium/issues/detail?id=96047

UXSS via Object::GetRealNamedPropertyInPrototypeChain
https://bugs.chromium.org/p/chromium/issues/detail?id=96885

UXSS via HTMLObjectElement
https://bugs.chromium.org/p/chromium/issues/detail?id=98053

UXSS: XSLT-generated document should inherit its SecurityOrigin from the source document
https://bugs.chromium.org/p/chromium/issues/detail?id=99512

UXSS: executeIfJavaScriptURL gets confused by synchronous frame loads
https://bugs.chromium.org/p/chromium/issues/detail?id=99750

Location bar spoofing when using replaceState in unload event handler
https://bugs.chromium.org/p/chromium/issues/detail?id=101235

Pwnium UXSS variation
https://bugs.chromium.org/p/chromium/issues/detail?id=117550

v8 builtins object exposed to user causing UXSS
https://bugs.chromium.org/p/chromium/issues/detail?id=143437

Universal XSS in frame elements handling        
https://bugs.chromium.org/p/chromium/issues/detail?id=143439

 

posted @ 2016-09-05 09:44  sevck  阅读(679)  评论(0编辑  收藏  举报