Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

HTML parser bug triggers Chromium XSS security flaw

A “crazy” parser bug potentially leading to XSS exploits has been patched by Chromium developers.

The vulnerability was reported in July 2021 to Chromium developers by Michał Bentkowski, a penetration tester for Polish cybersecurity firm Securitum.

In a tweet, Bentkowski said the bug was “the most crazy parser bug I’ve ever found”.

Tracked as CVE-2022-0801, the medium-severity vulnerability is described as an inappropriate implementation in HTML parser.

Top of the tree

The security researcher found the security flaw in the Chromium source code’s tree builders. According to a Chromium bug tracker thread discussing Bentkowski’s findings, there are two tree builders in use: html_tree_builder.cc and html_tree_builder_simulator.cc.

HTML is initially parsed with html_tree_builder and then the result is parsed with html_tree_builder_simulator. As a result, if there is any discrepancy, this could trigger a cross-site scripting (XSS) vulnerability.

“Html_tree_builder_simulator appears to be very short and simple,” Bentkowski said. “Unfortunately, it oversimplifies HTML parsing, and mishandles tokenizer state switching, leading to seemingly “impossible” DOM trees being created.”

When content was parsed in the second DOM tree, an image tag was included outside of the original parse, leading to XSS.

Tough to categorize

The vulnerability was originally described as a mutation XSS, a form of XSS caused by differences in how browsers interpret code.

However, once a Chromium developer inferred the bug could be considered a universal XSS – a flaw exploited through vulnerable client-side browsers – the researcher said he didn’t think either categorization was “a right depiction of this vulnerability”.

“I would say that the core of the issue is that: BackgroundHTMLParser may parse HTML incorrectly, leading to XSS on pages that have a correct prevention against XSS,” Bentkowski commented.

The Chrome Vulnerability Reward Program (VPR) awarded Bentkowski $5,000 for his report.

A patch has been issued to resolve the security flaw in Chrome 99.0.4844.51 by enabling the ForceSynchronousHTMLParsing feature by default. Microsoft has also implemented the fix for the Chromium-based Microsoft Edge browser.

The Chrome 99.0.4844.51 update includes 28 security fixes, notably CVE-2022-0789, a severe heap buffer overflow bug in ANGLE; a failure to properly implement policies in the installer, CVE-2022-0799, and CVE-2022-0798, a use-after-free vulnerability in MediaStream.

Bentkowski intends to provide a full write-up of the vulnerability in the future.

Advertisement. Scroll to continue reading.

The Daily Swig has reached out to Bentkowski with additional queries, and we will update when we hear back.

Source: https://portswigger.net/daily-swig/html-parser-bug-triggers-chromium-xss-security-flaw

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Recently, Google released an emergency security update to fix another Chrome zero-day vulnerability actively exploited in the wild. This zero-day flaw has been tracked...

Cyber Security

A recently patched bug in the Chromium project could allow malicious actors to bypass a security feature that protects sensitive cookies on Android browsers....

Cyber Security

Twitter faced further criticism this week when Elon Musk’s social networking platform announced SMS-based 2FA will only be available to paying customers going forward....

Cyber Security

KeePass has become the latest password manager utility obliged to defend its reputation following the discovery of an alleged vulnerability. Security researchers warned that it might be...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO