Websites thought to be XSS-protected could have been unintentionally exposed to XSS attacks in Chrome sessions
A “crazy” parser bug potentially leading to XSS exploits has been patched by Chromium developers.
The vulnerability was reported in July 2021 to Chromium developers by Michał Bentkowski, a penetration tester for Polish cybersecurity firm Securitum.
In a tweet, Bentkowski said the bug was “the most crazy parser bug I’ve ever found”.
Tracked as CVE-2022-0801, the medium-severity vulnerability is described as an inappropriate implementation in HTML parser.
Top of the tree
The security researcher found the security flaw in the Chromium source code’s tree builders. According to a Chromium bug tracker thread discussing Bentkowski’s findings, there are two tree builders in use: html_tree_builder.cc and html_tree_builder_simulator.cc.
HTML is initially parsed with html_tree_builder and then the result is parsed with html_tree_builder_simulator. As a result, if there is any discrepancy, this could trigger a cross-site scripting (XSS) vulnerability.
YOU MIGHT ALSO LIKE Microweber developers resolve XSS vulnerability in CMS software
“Html_tree_builder_simulator appears to be very short and simple,” Bentkowski said. “Unfortunately, it oversimplifies HTML parsing, and mishandles tokenizer state switching, leading to seemingly "impossible" DOM trees being created.”
When content was parsed in the second DOM tree, an image tag was included outside of the original parse, leading to XSS.
Tough to categorize
The vulnerability was originally described as a mutation XSS, a form of XSS caused by differences in how browsers interpret code.
However, once a Chromium developer inferred the bug could be considered a universal XSS – a flaw exploited through vulnerable client-side browsers – the researcher said he didn’t think either categorization was “a right depiction of this vulnerability”.
“I would say that the core of the issue is that: BackgroundHTMLParser may parse HTML incorrectly, leading to XSS on pages that have a correct prevention against XSS,” Bentkowski commented.
The Chrome Vulnerability Reward Program (VPR) awarded Bentkowski $5,000 for his report.
A patch has been issued to resolve the security flaw in Chrome 99.0.4844.51 by enabling the ForceSynchronousHTMLParsing feature by default. Microsoft has also implemented the fix for the Chromium-based Microsoft Edge browser.
The Chrome 99.0.4844.51 update includes 28 security fixes, notably CVE-2022-0789, a severe heap buffer overflow bug in ANGLE; a failure to properly implement policies in the installer, CVE-2022-0799, and CVE-2022-0798, a use-after-free vulnerability in MediaStream.
Bentkowski intends to provide a full write-up of the vulnerability in the future.
The Daily Swig has reached out to Bentkowski with additional queries, and we will update when we hear back.