CVE-2013-6656 in Chromeinfo

Summary

by MITRE

The XSSAuditor::init function in core/html/parser/XSSAuditor.cpp in the XSS auditor in Blink, as used in Google Chrome before 33.0.1750.117, processes POST requests by using the body of a redirecting page instead of the body of a redirect target, which allows remote attackers to obtain sensitive information via unspecified vectors.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 06/09/2021

The vulnerability described in CVE-2013-6656 resides within the XSS auditor component of Blink, the rendering engine powering Google Chrome and other web browsers. This flaw specifically affects versions prior to 33.0.1750.117 and represents a critical security weakness in how the browser handles cross-site scripting protection mechanisms. The XSS auditor is designed to detect and prevent potential XSS attacks by analyzing HTTP request data, particularly when dealing with redirect scenarios that might contain malicious payloads intended to exploit user sessions or access sensitive information.

The technical root cause of this vulnerability lies in the XSSAuditor::init function located in core/html/parser/XSSAuditor.cpp. When processing POST requests that involve redirects, the function incorrectly retrieves and analyzes the body content from the redirecting page rather than examining the actual target page that users are being redirected to. This fundamental error in data processing creates a scenario where malicious actors can craft specially designed redirect chains that bypass the XSS protection mechanisms. The flaw essentially allows attackers to manipulate the XSS auditor's behavior by controlling the intermediate redirect page content, potentially enabling information disclosure attacks.

The operational impact of this vulnerability extends beyond simple XSS protection bypass. Attackers can exploit this weakness to harvest sensitive information from users' sessions, including authentication tokens, personal data, or other confidential information that might be present in the redirect target pages. This particular vulnerability aligns with CWE-79, which describes Cross-Site Scripting flaws, and demonstrates how improper handling of redirect chains can create security gaps in web application defenses. The vulnerability operates at the browser level, making it particularly dangerous as it affects all web applications running within the affected Chrome versions regardless of their own security implementations.

The security implications of this vulnerability are significant when considering the ATT&CK framework's approach to credential access and information disclosure techniques. Attackers can leverage this flaw to perform sophisticated information gathering operations that would normally be blocked by proper XSS protection mechanisms. The vulnerability's exploitation requires careful crafting of redirect chains and understanding of the browser's internal processing behavior, making it a targeted attack vector that demonstrates advanced knowledge of browser security internals. Organizations using affected Chrome versions face increased risk of session hijacking, data theft, and other credential-based attacks that could compromise user accounts and sensitive corporate information.

Mitigation strategies for this vulnerability involve immediate patching of affected Chrome versions to 33.0.1750.117 or later, which contains the necessary fixes to properly handle redirect processing in the XSS auditor. Additionally, security teams should implement network-level monitoring to detect suspicious redirect patterns and consider deploying web application firewalls that can identify and block malicious redirect chains. The fix addresses the core issue by ensuring that the XSS auditor processes the correct page content when handling POST requests with redirects, thereby restoring proper protection against cross-site scripting attacks that could otherwise be bypassed through this specific flaw.

Reservation

11/05/2013

Disclosure

02/23/2014

Moderation

accepted

Entry

VDB-12380

CPE

ready

EPSS

0.01107

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!