Hello, During the creation of a hacking challenge about XSS we had to figure out how to bypass the new AntiXSS filter in Google Chrome. It was included in the latest release and we were in the middle of a hacking challenge about XSS and Sesion Fixation. We were thinking about to change the rules of the game, but, we managed to bypass the filter in an easy way, so we didn´t change it and players were also able to discover it. This is the "how": When a string that can execute any kind of javascript which it is injected, like could be

, Google Chrome fix the source code in runtime, replacing the original string by the following,

, so the injected javascript code is missed and it’s not possible to execute any attack. Chrome also has a function to fix or rewrite HTML source code that isn’t well-formed. If a website that contains a tag like ‘’, it will try to rewrite the source code to construct a proper HTML code. For example, if we introduce a string like

It can give to an attacker a vector to bypass the Anti-XSS filter, due to it applies first the filter and then checks whether the HTML code is well-formed or not, modifying it if needed.. So, it’s possible to create a non-well-formed tag, that after being rewritten, it will be a properly XSS. An example of it may be this one:

, bypassing the AntiXSS filter. Best Regards, Manu "The Sur" and Rodolfo Bordon from Informatica64.com Manuel Fernández Informática 64 Dep. Desarrollo y Seguridad C/ Juan Ramón Jiménez, 8 Bajo Post. Local 28932 Móstoles - Madrid Telf. 91 146 20 00 – Fax: 91 146 20 03 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/