zoukankan      html  css  js  c++  java
  • 基于chrome内核的UXSS

    url with a leading NULL byte can bypass cross origin protection.
    https://code.google.com/p/chromium/issues/detail?id=37383
    
    Universal XSS in frame elements handling
    https://code.google.com/p/chromium/issues/detail?id=143439
    
    Pwnium UXSS variation        
    https://code.google.com/p/chromium/issues/detail?id=117550            
    
    UXSS with document.baseURI
    https://code.google.com/p/chromium/issues/detail?id=90222
    
    Universal XSS using widget updates in ContainerNode::parserRemoveChild        
    https://bugs.chromium.org/p/chromium/issues/detail?id=560011
    
    Security: Universal XSS using Flash message loop        
    https://bugs.chromium.org/p/chromium/issues/detail?id=569496
    
    Cross-origin access using window.execScript + code execution        
    https://bugs.chromium.org/p/chromium/issues/detail?id=83096    
    
    Universal XSS using contentWindow.eval        
    https://bugs.chromium.org/p/chromium/issues/detail?id=83743
    
    UXSS with empty SecurityOrigin    
    https://bugs.chromium.org/p/chromium/issues/detail?id=89453    
    
    UXSS / frame escape with window.open        
    https://bugs.chromium.org/p/chromium/issues/detail?id=89520    
    
    UXSS with document.baseURI
    https://bugs.chromium.org/p/chromium/issues/detail?id=90222
    
    Arbitrary cross-origin bypass using __defineGetter__ prototype override    
    https://bugs.chromium.org/p/chromium/issues/detail?id=93416
    
    UXSS using Object.getPrototypeOf
    https://bugs.chromium.org/p/chromium/issues/detail?id=93759
    
    Cross-origin access to window.__proto__
    https://bugs.chromium.org/p/chromium/issues/detail?id=95671
    
    UXSS and use-after-free when DOMWindow is accessed after navigation
    https://bugs.chromium.org/p/chromium/issues/detail?id=96047
    
    UXSS via Object::GetRealNamedPropertyInPrototypeChain
    https://bugs.chromium.org/p/chromium/issues/detail?id=96885
    
    UXSS via HTMLObjectElement
    https://bugs.chromium.org/p/chromium/issues/detail?id=98053
    
    UXSS: XSLT-generated document should inherit its SecurityOrigin from the source document
    https://bugs.chromium.org/p/chromium/issues/detail?id=99512
    
    UXSS: executeIfJavaScriptURL gets confused by synchronous frame loads
    https://bugs.chromium.org/p/chromium/issues/detail?id=99750
    
    Location bar spoofing when using replaceState in unload event handler
    https://bugs.chromium.org/p/chromium/issues/detail?id=101235
    
    Pwnium UXSS variation
    https://bugs.chromium.org/p/chromium/issues/detail?id=117550
    
    v8 builtins object exposed to user causing UXSS
    https://bugs.chromium.org/p/chromium/issues/detail?id=143437
    
    Universal XSS in frame elements handling        
    https://bugs.chromium.org/p/chromium/issues/detail?id=143439
  • 相关阅读:
    idea 开发中常用的36个快捷键!
    算法学习一
    elastic-job-lite使用文档
    Windows使用Fiddler对手机抓包或调试本地计算机web站点方法
    Thread.join的作用和原理
    static修饰的代码块被称作静态代码块
    【Java面试题】52 java中会存在内存泄漏吗,请简单描述。
    数据类型 Object.keys,values,entries
    数据类型 Map and Set(映射和集合)
    数组映射到对象
  • 原文地址:https://www.cnblogs.com/sevck/p/5841196.html
Copyright © 2011-2022 走看看