uxss-db 🔪

Star the repo, if it was useful for you ⭐️.

Any help is highly appreciated, 🙏 check TODO!

• uxss-db 🔪
  • Intro
  • Webkit
  • Chromium
  • IE/Edge
  • Articles
  • Whitepapers
  • Browser hacking guides and design docs
    • Firefox
    • Tor
    • Brave
    • Chromium
    • Webkit
    • Electron
  • Specs
  • Bounties
  • Misc
  • Scripts
  • Author
  • LICENSE
  • TODO

Inspired by js-vuln-db

For memory bugs, exploits and other: check awesome-browser-exploit

You can extract js-vuln-db CVEs to .html/.js files using Scripts

Intro

• What is UXSS?
• What is SOP?
• What is CORS?

Some CVE ids were not found:

• 0-$$$$ - the issue with id $$$$ in google project zero tracker
• cr-$$$$ - the issue with id $$$$ in Chromium tracker
• some-bug - the vulnerability doesn't have CVE or CVE is unknown

Version field has "?" symbol, if a version wasn't attached to the report

NOTE: Many CVEs aren't listed in the tables below!

Check /other folder = unsorted/unknown/duplicated CVEs and vulnerabilities for less popular browsers

Webkit

CVE/id	title	version	date
CVE-2017-7089	UXSS via parent-tab://	10?	Sep 20, 2017
CVE-2017-7037	UXSS via JSObject::putInlineSlow and JSValue::putToPrimitive	10?	Mar 10 2017
0-1197	WebKit: UXSS via CachedFrameBase::restore	10?	Mar 17 2017
CVE-2017-2528	UXSS: CachedFrame doesn't detach openers	10?	Mar 10 2017
0-1163	UXSS via Document::prepareForDestruction and CachedFrame	10?	Mar 3 2017
CVE-2017-2510	UXSS: enqueuePageshowEvent and enqueuePopstateEvent don't enqueue, but dispatch	10?	Feb 27 2017
CVE-2017-2508	UXSS via ContainerNode::parserInsertBefore	10?	Feb 24 2017
0-1134	UXSS via ContainerNode::parserRemoveChild (2)	10?	Feb 17 2017
0-1132	UXSS: the patch of #1110 made another bug	10	Feb 16 2017
CVE-2017-2504	UXSS via Editor::Command::execute	10.0.3	Feb 16 2017
CVE-2017-2493	UXSS through HTMLObjectElement::updateWidget	10.0.3	Feb 9 2017
CVE-2017-2480	UXSS via a synchronous page load	10.0.3	Feb 9 2017
CVE-2017-2479	UXSS via a focus event and a link element	10.0.3	Feb 9 2017
CVE-2017-2475	UXSS via ContainerNode::parserRemoveChild	10.0.3	Feb 2 2017
CVE-2017-2468	Use-After-Free via Document::adoptNode	10.0.3	Jan 23 2017
0-1094	UXSS via operationSpreadGeneric	10.0.2	Jan 20 2017
0-1084	UXSS via PrototypeMap::createEmptyStructure	10.0.2	Jan 17 2017
CVE-2017-2445	UXSS via disconnectSubframes	10.0.2	Jan 9 2017
CVE-2017-2442	UXSS with JSCallbackData	10.0.2	Jan 3 2017
CVE-2017-2367	UXSS by accessing a named property from an unloaded window	10.0.2	Dec 23 2016
CVE-2017-2365	UXSS via Frame::setDocument	10.0.2	Dec 20 2016
CVE-2017-2364	UXSS via Frame::setDocument (1).	10.0.2	Dec 20 2016
CVE-2017-2363	UXSS via FrameLoader::clear	10.0.2	Dec 19 2016

Chromium

CVE/id	title	version	date
CVE-2018-6128	UXSS via URL parsing bug	66	May 9 2018
CVE-2017-5124	UXSS with MHTML	61	Oct 20 2017
cr-687844	window.external leaks global object + cross origin script access	57	Feb 2 2017
CVE-2017-5007	UXSS through bypassing ScopedPageSuspender with closing windows	55	Dec 5 2016
cr-656274	Cross-origin object leak via fetch	56 (canary)	Oct 15 2016
cr-594383	UXSS via window.open() via file:// pages	54	Oct 15 2016
CVE-2016-5207	UXSS via fullscreen element updates	54	Oct 14 2016
CVE-2016-5204	UXSS by intercepting a UA shadow tree	52	Jul 24 2016
CVE-2016-1676	Persistent UXSS via SchemaRegistry	50	Apr 19 2016
CVE-2016-1667	UXSS through adopting image elements	50	Apr 21 2016
CVE-2016-1674	UXSS via the interception of Binding with Object.prototype.create	49	Mar 26 2016
CVE-2016-1673	UXSS using a FrameNavigationDisabler bypass	49	Mar 24 2016
cr-583445	UXSS in DocumentLoader::createWriterFor	48	Feb 2 2016
CVE-2016-1631	UXSS using Flash message loop	47	Dec 14 2015
CVE-2015-6770	UXSS using document.adoptNode	45	Oct 8 2015
CVE-2015-6769	UXSS via the unload_event module	45	Sep 22 2015
CVE-2015-6765	UXSS via ContainerNode::parserInsertBefore	44	Aug 11 2015
CVE-2015-1268	UXSS using IDBKeyRange static methods	43	May 31 2015
CVE-2014-1747	UXSS via local MHTML files	35	Dec 25 2013
CVE-2014-1701	UXSS via dispatchEvent on iframes	32	Feb 11 2014
CVE-2011-2856	Arbitrary cross-origin bypass using __defineGetter__ prototype override	15	Aug 18 2011
CVE-2011-3243	Universal XSS using contentWindow.eval	12	May 24 2011
CVE-2011-1438	bypass SOP with blob:	11	Mar 2 2011
cr-74372	chrome://blob-internals/ XSS	11	Feb 28 2011
cr-37383	javascript: url with a leading NULL byte can bypass cross origin protection.	?	Mar 4 2010

IE/Edge

CVE/id	version/date	reporter
CVE-2015-0072, alternative PoC

Articles

• (RU) Комикс о UXSS в Safari и Chrome - CVE-2017-5124 + CVE-2017-7089
• Analysis on Internet Explorer's UXSS - CVE-2015-0072
• Universal XSS via Evernote WebClipper
• Mobile Browsers Security: iOS
• SOP bypass / UXSS – Stealing Credentials Pretty Fast (Edge) - May 10, 2017
• Grabbing data from Inputs and Textareas (Edge/IE) - Aug 28, 2016
• Exploring and Exploiting iOS Web Browsers - Łukasz Pilorz, Marek Zmysłowski, Hack In The Box, Amsterdam 2014
• https://leucosite.com blog by @Qab
• BrokenBrowser blog:
  • https://www.brokenbrowser.com/revealing-the-content-of-the-address-bar-ie/
  • https://www.brokenbrowser.com/sop-bypass-uxss-tweeting-like-charles-darwin/
  • https://www.brokenbrowser.com/sop-bypass-abusing-read-protocol/
  • https://www.brokenbrowser.com/microsoft-edge-detecting-installed-extensions/
  • https://www.brokenbrowser.com/free-ticket-to-the-intranet-zone/
  • https://www.brokenbrowser.com/uxss-ie-domainless-world/
  • https://www.brokenbrowser.com/bypass-the-patch-to-keep-spoofing-the-address-bar-with-the-malware-warning/
  • https://www.brokenbrowser.com/zombie-alert/
  • https://www.brokenbrowser.com/uxss-ie-htmlfile/
  • https://www.brokenbrowser.com/uxss-edge-domainless-world/
  • https://www.brokenbrowser.com/abusing-of-protocols/
  • https://www.brokenbrowser.com/loading-insecure-content-in-secure-pages/
  • https://www.brokenbrowser.com/detecting-local-files-to-evade-analysts/
  • https://www.brokenbrowser.com/workers-sop-bypass-importscripts-and-basehref/
  • https://www.brokenbrowser.com/detecting-apps-mimetype-malware/
  • https://www.brokenbrowser.com/referer-spoofing-defeating-xss-filter/
  • https://www.brokenbrowser.com/css-history-leak/
  • https://www.brokenbrowser.com/grabdatafrominput/

Whitepapers

• X41: Browser Security White Paper + website + repo
• The Definitive Guide to Same-origin Policy
• On the Security of the SOP-DOM Using HTML and JavaScript Code
• Same-Origin Policy: Evaluation in Modern Browsers + slides + talk + your-sop.com
• Google Browser Security Handbook
• A Security Study of Chrome’s Process-based Sandboxing
• A Systematic Approach to Uncover Security Flaws in GUI Logic
• JSON hijacking
• Bypassing the Same Origin Policy - The Browser Hacker’s Handbook (2014)

Browser hacking guides and design docs

Firefox

• 7 Tips for Fuzzing Firefox More Effectively

Tor

• The Tor Browser Hacking Guide
• The Design and Implementation of the Tor Browser [DRAFT]

Brave

• Brave browser repo
• Component Structure
• Directory Structure
• State - similar to Redux state concept, but just an ImmutableJS object
• How to work with crashes

Chromium

• How Chromium Displays Web Pages
• Chromium: Multi-process Architecture
• Site Isolation Design Document
• Threading and Tasks in Chrome
• Important Abstractions and Data Structures

Webkit

• Core WebKit Classes
• Webkit docs on developer.apple.com

Electron

• Modern Alchemy: Turning XSS into RCE
• Electron Security Checklist

Specs

• W3C Suborigins [DRAFT]
• W3C Service Workers Nightly
• ECMA 262

Bounties

• Zerodium
• Tor
• Chrome
• Brave
• SSD
• MS Edge

Misc

• NodeFuzz - web browser fuzzer
• brave/Muon - Build browsers and browser like applications with HTML, CSS, and JavaScript (part of the Brave's bug bounty)
• https://ios.browsr-tests.com - list of SOP bypasses in iOS
• https://github.com/rafaybaloch/SOP-Bypass-Mini-Test-Suite - list of SOP bypasses
• ref_fuzz fuzzer - source code
• javascript - Ways to circumvent the same-origin policy - Stack Overflow - document.domain, window.postMessage, CORS, reverse proxy( + jsonp)
• Slides about cookie security - Cookie same origin policy
• PortSwigger/hackability - "Devtools" for browser security. (useful for less known browsers)

Scripts

  # Export `js-vuln-db` repo CVEs to html
  bash ./scripts/js-vuln-db-to-format.sh html
  # Export `js-vuln-db` repo CVEs to js
  bash ./scripts/js-vuln-db-to-format.sh js

Author

Vladimir Metnew mailto:[email protected]

LICENSE

MIT

TODO

• Add these bugs:
  • Pwn2Own: content: scheme allows cross-origin info leaks
  • Use-after free in leveldb
  • Security: UaF in MidiHost round 2 (JS -> Browser code execution)
  • https://bugs.chromium.org/p/chromium/issues/detail?id=419383
  • https://github.com/mpgn/ByP-SOP
  • http://unsafe.cracking.com.ar/demos/edgedatametadata/bing.html
  • https://bugs.chromium.org/p/chromium/issues/detail?id=666246
  • http://www.cracking.com.ar/demos/workerleak/
  • http://www.cracking.com.ar/demos/xmldom/
  • http://unsafe.cracking.com.ar/demos/sandboxedge/
  • https://www.cracking.com.ar/demos/sop-ax-htmlfile/injectiframexdom.html
  • 438085 - Security: SOP bypass via DNS-Rebind (including PoC) - chromium - Monorail
  • demonic_browsers.pdf
  • JSON hijacking for the modern web | Blog
  • Pwnfest 2016 meta bug
  • https://bugs.chromium.org/p/chromium/issues/detail?id=682020
  • https://blog.jeremiahgrossman.com/2006/08/i-know-where-youve-been.html - that web 1.0 thing