The age of browser XSS filters is over

Google is removing XSS Auditor for Chrome after a series of vulnerabilities have plagued the hotly-contested security feature.

The anti-cross-site scripting (XSS) technology is to be deprecated and removed, Chromium devs announced last night.

XSS Auditor has generated more than a little controversy since it was implemented in Chrome v4 in 2010, with the discovery of numerous shortcomings resulting in calls for the technology to be abandoned.

The auditor was rolled out with ‘filter’ mode as default, which meant that web pages continued to be rendered, but filtered out any code that was suspected of presenting a potential XSS issue.

This mode was a cause of concern, as researcher Frederik Braun wrote: “When you allow websites to frame you, you basically give them full permission to decide, what part of JavaScript of your very own script can be executed and what cannot.

“That sounds crazy, right?”

Braun wrote how the function could be abused to disable certain elements on a page by inserting a script in the URL, which would execute on the page.

He added: “…defaulting to filter was a bad decision and it can be overriden (sic) with the X-XSS-Protection: 1; mode=block header.

“You could also disallow websites from putting you in an iframe with X-Frame-Options: DENY [header] but it still leaves an attack vector as your websites could be opened as a top-level window.”

Bypassing the auditor

XSS Auditor was also plagued by a number of bypass exploits. In fact, the ability to bypass was so common that it was considered a “functional bug” by the Chromium team, and not a security issue.

World renowned web security researcher Mario Heiderich has bypassed XSS Auditor in the past, and the vector still works today.

The feature was also found to produce false positives in Chrome version 57.0.2987.98.

These issues led Chrome devs to switch XSS Auditor from ‘filter’ to ‘block’ mode. As one might expect, this blocked the page from loading altogether, rather than filtering out specific scripts.

However this, too, was found to be vulnerable to exploits after research detailed how the ‘block’ function could be abused to exfiltrate information through so-called cross-site leak (XS-Leak) exploits.

After some back and forth, XSS Auditor was eventually switched back to filter mode this year because of the difficulty in fixing XS-Leak based attacks.

Researcher terjanq detailed in April how he was able to abuse the filter mode by bypassing the DOM validator for a CTF challenge using the well-known technique of abusing the filter to disable scripts.

He effectively tricked Chrome into believing that non-malicious script was attempting to execute XSS, allowing him to bypass code that implements security measures and execute script that he had inserted, causing XSS.

The technique of abusing the filter to disable scripts once again highlighted shortcomings in XSS Auditor, reigniting calls to remove the feature altogether.

The deprecation of XSS Auditor follows Microsoft’s decision to disable its own anti-cross-site scripting technology, XSS Filter, last year.

RELATED Google Chrome’s XSS Auditor goes back to filter mode