uxss-db
uxss-db copied to clipboard
Published
20 hours ago •
Metnew
Metnew
🔪Browser logic vulnerabilities :skull_and_crossbones:
uxss-db 🔪
Star the repo, if it was useful for you ⭐️.
Any help is highly appreciated, 🙏 check TODO!
-
uxss-db 🔪
- Intro
- Webkit
- Chromium
- IE/Edge
- Articles
- Whitepapers
-
Browser hacking guides and design docs
- Firefox
- Tor
- Brave
- Chromium
- Webkit
- Electron
- Specs
- Bounties
- Misc
- Scripts
- Author
- LICENSE
- TODO
Inspired by js-vuln-db
For memory bugs, exploits and other: check awesome-browser-exploit
You can extract
js-vuln-dbCVEs to.html/.jsfiles using Scripts
Intro
Some CVE ids were not found:
- 0-$$$$ - the issue with id $$$$ in google project zero tracker
- cr-$$$$ - the issue with id $$$$ in Chromium tracker
- some-bug - the vulnerability doesn't have CVE or CVE is unknown
Version field has "?" symbol, if a version wasn't attached to the report
NOTE: Many CVEs aren't listed in the tables below!
Check /other folder = unsorted/unknown/duplicated CVEs and vulnerabilities for less popular browsers
Webkit
| CVE/id | title | version | date |
|---|---|---|---|
| CVE-2017-7089 | UXSS via parent-tab:// |
10? | Sep 20, 2017 |
| CVE-2017-7037 | UXSS via JSObject::putInlineSlow and JSValue::putToPrimitive |
10? | Mar 10 2017 |
| 0-1197 | WebKit: UXSS via CachedFrameBase::restore |
10? | Mar 17 2017 |
| CVE-2017-2528 | UXSS: CachedFrame doesn't detach openers |
10? | Mar 10 2017 |
| 0-1163 | UXSS via Document::prepareForDestruction and CachedFrame |
10? | Mar 3 2017 |
| CVE-2017-2510 | UXSS: enqueuePageshowEvent and enqueuePopstateEvent don't enqueue, but dispatch |
10? | Feb 27 2017 |
| CVE-2017-2508 | UXSS via ContainerNode::parserInsertBefore |
10? | Feb 24 2017 |
| 0-1134 | UXSS via ContainerNode::parserRemoveChild (2) |
10? | Feb 17 2017 |
| 0-1132 | UXSS: the patch of #1110 made another bug | 10 | Feb 16 2017 |
| CVE-2017-2504 | UXSS via Editor::Command::execute |
10.0.3 | Feb 16 2017 |
| CVE-2017-2493 | UXSS through HTMLObjectElement::updateWidget |
10.0.3 | Feb 9 2017 |
| CVE-2017-2480 | UXSS via a synchronous page load | 10.0.3 | Feb 9 2017 |
| CVE-2017-2479 | UXSS via a focus event and a link element | 10.0.3 | Feb 9 2017 |
| CVE-2017-2475 | UXSS via ContainerNode::parserRemoveChild |
10.0.3 | Feb 2 2017 |
| CVE-2017-2468 | Use-After-Free via Document::adoptNode |
10.0.3 | Jan 23 2017 |
| 0-1094 | UXSS via operationSpreadGeneric |
10.0.2 | Jan 20 2017 |
| 0-1084 | UXSS via PrototypeMap::createEmptyStructure |
10.0.2 | Jan 17 2017 |
| CVE-2017-2445 | UXSS via disconnectSubframes |
10.0.2 | Jan 9 2017 |
| CVE-2017-2442 | UXSS with JSCallbackData |
10.0.2 | Jan 3 2017 |
| CVE-2017-2367 | UXSS by accessing a named property from an unloaded window | 10.0.2 | Dec 23 2016 |
| CVE-2017-2365 | UXSS via Frame::setDocument |
10.0.2 | Dec 20 2016 |
| CVE-2017-2364 | UXSS via Frame::setDocument (1). |
10.0.2 | Dec 20 2016 |
| CVE-2017-2363 | UXSS via FrameLoader::clear |
10.0.2 | Dec 19 2016 |
Chromium
| CVE/id | title | version | date |
|---|---|---|---|
| CVE-2018-6128 | UXSS via URL parsing bug | 66 | May 9 2018 |
| CVE-2017-5124 | UXSS with MHTML | 61 | Oct 20 2017 |
| cr-687844 | window.external leaks global object + cross origin script access |
57 | Feb 2 2017 |
| CVE-2017-5007 | UXSS through bypassing ScopedPageSuspender with closing windows |
55 | Dec 5 2016 |
| cr-656274 | Cross-origin object leak via fetch |
56 (canary) | Oct 15 2016 |
| cr-594383 | UXSS via window.open() via file:// pages |
54 | Oct 15 2016 |
| CVE-2016-5207 | UXSS via fullscreen element updates | 54 | Oct 14 2016 |
| CVE-2016-5204 | UXSS by intercepting a UA shadow tree | 52 | Jul 24 2016 |
| CVE-2016-1676 | Persistent UXSS via SchemaRegistry |
50 | Apr 19 2016 |
| CVE-2016-1667 | UXSS through adopting image elements | 50 | Apr 21 2016 |
| CVE-2016-1674 | UXSS via the interception of Binding with Object.prototype.create |
49 | Mar 26 2016 |
| CVE-2016-1673 | UXSS using a FrameNavigationDisabler bypass |
49 | Mar 24 2016 |
| cr-583445 | UXSS in DocumentLoader::createWriterFor |
48 | Feb 2 2016 |
| CVE-2016-1631 | UXSS using Flash message loop | 47 | Dec 14 2015 |
| CVE-2015-6770 | UXSS using document.adoptNode |
45 | Oct 8 2015 |
| CVE-2015-6769 | UXSS via the unload_event module |
45 | Sep 22 2015 |
| CVE-2015-6765 | UXSS via ContainerNode::parserInsertBefore |
44 | Aug 11 2015 |
| CVE-2015-1268 | UXSS using IDBKeyRange static methods | 43 | May 31 2015 |
| CVE-2014-1747 | UXSS via local MHTML files | 35 | Dec 25 2013 |
| CVE-2014-1701 | UXSS via dispatchEvent on iframes |
32 | Feb 11 2014 |
| CVE-2011-2856 | Arbitrary cross-origin bypass using __defineGetter__ prototype override |
15 | Aug 18 2011 |
| CVE-2011-3243 | Universal XSS using contentWindow.eval |
12 | May 24 2011 |
| CVE-2011-1438 | bypass SOP with blob: |
11 | Mar 2 2011 |
| cr-74372 | chrome://blob-internals/ XSS |
11 | Feb 28 2011 |
| cr-37383 | javascript: url with a leading NULL byte can bypass cross origin protection. |
? | Mar 4 2010 |
IE/Edge
| CVE/id | version/date | reporter |
|---|---|---|
| CVE-2015-0072, alternative PoC |
Articles
- (RU) Комикс о UXSS в Safari и Chrome - CVE-2017-5124 + CVE-2017-7089
- Analysis on Internet Explorer's UXSS - CVE-2015-0072
- Universal XSS via Evernote WebClipper
- Mobile Browsers Security: iOS
- SOP bypass / UXSS – Stealing Credentials Pretty Fast (Edge) - May 10, 2017
- Grabbing data from Inputs and Textareas (Edge/IE) - Aug 28, 2016
- Exploring and Exploiting iOS Web Browsers - Łukasz Pilorz, Marek Zmysłowski, Hack In The Box, Amsterdam 2014
- https://leucosite.com blog by @Qab
-
BrokenBrowser blog:
- https://www.brokenbrowser.com/revealing-the-content-of-the-address-bar-ie/
- https://www.brokenbrowser.com/sop-bypass-uxss-tweeting-like-charles-darwin/
- https://www.brokenbrowser.com/sop-bypass-abusing-read-protocol/
- https://www.brokenbrowser.com/microsoft-edge-detecting-installed-extensions/
- https://www.brokenbrowser.com/free-ticket-to-the-intranet-zone/
- https://www.brokenbrowser.com/uxss-ie-domainless-world/
- https://www.brokenbrowser.com/bypass-the-patch-to-keep-spoofing-the-address-bar-with-the-malware-warning/
- https://www.brokenbrowser.com/zombie-alert/
- https://www.brokenbrowser.com/uxss-ie-htmlfile/
- https://www.brokenbrowser.com/uxss-edge-domainless-world/
- https://www.brokenbrowser.com/abusing-of-protocols/
- https://www.brokenbrowser.com/loading-insecure-content-in-secure-pages/
- https://www.brokenbrowser.com/detecting-local-files-to-evade-analysts/
- https://www.brokenbrowser.com/workers-sop-bypass-importscripts-and-basehref/
- https://www.brokenbrowser.com/detecting-apps-mimetype-malware/
- https://www.brokenbrowser.com/referer-spoofing-defeating-xss-filter/
- https://www.brokenbrowser.com/css-history-leak/
- https://www.brokenbrowser.com/grabdatafrominput/
Whitepapers
- X41: Browser Security White Paper + website + repo
- The Definitive Guide to Same-origin Policy
- On the Security of the SOP-DOM Using HTML and JavaScript Code
- Same-Origin Policy: Evaluation in Modern Browsers + slides + talk + your-sop.com
- Google Browser Security Handbook
- A Security Study of Chrome’s Process-based Sandboxing
- A Systematic Approach to Uncover Security Flaws in GUI Logic
- JSON hijacking
- Bypassing the Same Origin Policy - The Browser Hacker’s Handbook (2014)
Browser hacking guides and design docs
Firefox
Tor
Brave
- Brave browser repo
- Component Structure
- Directory Structure
- State - similar to Redux state concept, but just an ImmutableJS object
- How to work with crashes
Chromium
- How Chromium Displays Web Pages
- Chromium: Multi-process Architecture
- Site Isolation Design Document
- Threading and Tasks in Chrome
- Important Abstractions and Data Structures
Webkit
Electron
Specs
Bounties
Misc
- NodeFuzz - web browser fuzzer
- brave/Muon - Build browsers and browser like applications with HTML, CSS, and JavaScript (part of the Brave's bug bounty)
- https://ios.browsr-tests.com - list of SOP bypasses in iOS
- https://github.com/rafaybaloch/SOP-Bypass-Mini-Test-Suite - list of SOP bypasses
- ref_fuzz fuzzer - source code
- javascript - Ways to circumvent the same-origin policy - Stack Overflow - document.domain, window.postMessage, CORS, reverse proxy( + jsonp)
- Slides about cookie security - Cookie same origin policy
- PortSwigger/hackability - "Devtools" for browser security. (useful for less known browsers)
Scripts
# Export `js-vuln-db` repo CVEs to html
bash ./scripts/js-vuln-db-to-format.sh html
# Export `js-vuln-db` repo CVEs to js
bash ./scripts/js-vuln-db-to-format.sh js
Author
Vladimir Metnew mailto:[email protected]
LICENSE
MIT
TODO
- Add these bugs:
- Pwn2Own: content: scheme allows cross-origin info leaks
- Use-after free in leveldb
- Security: UaF in MidiHost round 2 (JS -> Browser code execution)
- https://bugs.chromium.org/p/chromium/issues/detail?id=419383
- https://github.com/mpgn/ByP-SOP
- http://unsafe.cracking.com.ar/demos/edgedatametadata/bing.html
- https://bugs.chromium.org/p/chromium/issues/detail?id=666246
- http://www.cracking.com.ar/demos/workerleak/
- http://www.cracking.com.ar/demos/xmldom/
- http://unsafe.cracking.com.ar/demos/sandboxedge/
- https://www.cracking.com.ar/demos/sop-ax-htmlfile/injectiframexdom.html
- 438085 - Security: SOP bypass via DNS-Rebind (including PoC) - chromium - Monorail
- demonic_browsers.pdf
- JSON hijacking for the modern web | Blog
- Pwnfest 2016 meta bug
- https://bugs.chromium.org/p/chromium/issues/detail?id=682020
- https://blog.jeremiahgrossman.com/2006/08/i-know-where-youve-been.html - that web 1.0 thing
Metnew