基于chrome内核的UXSS

url with a leading NULL byte can bypass cross origin protection.
https://code.google.com/p/chromium/issues/detail?id=37383

Universal XSS in frame elements handling
https://code.google.com/p/chromium/issues/detail?id=143439

Pwnium UXSS variation        
https://code.google.com/p/chromium/issues/detail?id=117550            

UXSS with document.baseURI
https://code.google.com/p/chromium/issues/detail?id=90222

Universal XSS using widget updates in ContainerNode::parserRemoveChild        
https://bugs.chromium.org/p/chromium/issues/detail?id=560011

Security: Universal XSS using Flash message loop        
https://bugs.chromium.org/p/chromium/issues/detail?id=569496

Cross-origin access using window.execScript + code execution        
https://bugs.chromium.org/p/chromium/issues/detail?id=83096    

Universal XSS using contentWindow.eval        
https://bugs.chromium.org/p/chromium/issues/detail?id=83743

UXSS with empty SecurityOrigin    
https://bugs.chromium.org/p/chromium/issues/detail?id=89453    

UXSS / frame escape with window.open        
https://bugs.chromium.org/p/chromium/issues/detail?id=89520    

UXSS with document.baseURI
https://bugs.chromium.org/p/chromium/issues/detail?id=90222

Arbitrary cross-origin bypass using __defineGetter__ prototype override    
https://bugs.chromium.org/p/chromium/issues/detail?id=93416

UXSS using Object.getPrototypeOf
https://bugs.chromium.org/p/chromium/issues/detail?id=93759

Cross-origin access to window.__proto__
https://bugs.chromium.org/p/chromium/issues/detail?id=95671

UXSS and use-after-free when DOMWindow is accessed after navigation
https://bugs.chromium.org/p/chromium/issues/detail?id=96047

UXSS via Object::GetRealNamedPropertyInPrototypeChain
https://bugs.chromium.org/p/chromium/issues/detail?id=96885

UXSS via HTMLObjectElement
https://bugs.chromium.org/p/chromium/issues/detail?id=98053

UXSS: XSLT-generated document should inherit its SecurityOrigin from the source document
https://bugs.chromium.org/p/chromium/issues/detail?id=99512

UXSS: executeIfJavaScriptURL gets confused by synchronous frame loads
https://bugs.chromium.org/p/chromium/issues/detail?id=99750

Location bar spoofing when using replaceState in unload event handler
https://bugs.chromium.org/p/chromium/issues/detail?id=101235

Pwnium UXSS variation
https://bugs.chromium.org/p/chromium/issues/detail?id=117550

v8 builtins object exposed to user causing UXSS
https://bugs.chromium.org/p/chromium/issues/detail?id=143437

Universal XSS in frame elements handling        
https://bugs.chromium.org/p/chromium/issues/detail?id=143439

 

相关文章:

  • 2022-12-23
  • 2021-07-28
  • 2022-12-23
  • 2022-02-26
  • 2021-07-08
  • 2021-09-04
  • 2021-06-28
  • 2021-09-01
猜你喜欢
  • 2022-12-23
  • 2021-12-19
  • 2021-11-07
  • 2021-11-10
相关资源
相似解决方案
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode