About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Microsoft Edge Universal XSS- 544

TensorbugsPosted 4 Years Ago
  • Microsoft Edge has a inline translation feature called Microsoft Auto Translation. Because there are so many languages, this is a commonly used feature by foreign users.
  • The auto translation feature takes text in one language and replaces it inline. What would happen if this was done insecurely? By definition of text manipulation, this is a good uXSS attack vector.
  • When Edge was replacing the data inline, they were not filtering out malicious characters or HTML encoding then. Additionally, the content was being added directly into the DOM. Because of this, when the content was added back to the page with the new formatting, it was possible to escape the HTML attribute to get XSS.
  • The payload is quite simple: “>img src=x onerror=alert(1)>. The HTML attribute is escaped with the double quote (") and the current HTML element is closed. Finally, the XSS payload put next.
  • To demonstrate impact, the author put this payload into a Facebook profile, a YouTube comment and a few other places. Universal XSS is extremely impactful on even the most secure of applications, as it affects the browser as a whole.
  • The bug is simply and impactful. I wonder about other features that would similarity be vulnerable in modern browsers?

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed