Today i reported a strange bug to the devs of the Chromium Project, look at the following lines of code :
<script src=http:\\\\\\\\\\\\monitor.it-securityguard.com\\\\\\\\\\\\\test.js> </script>
You see those leading slashes ? Do you think that this is an valid URL a Browser would process ? In fact it does not look like a valid one, but for Google Chrome it is. As you can see in the picture the Url gets executed regardless of how many backslashes there were added.
The questions arising at this point should be : Why does Google Chrome treats URL different then other Browsers ? Is this a security issue which could bypass XSS Filters ? With all this question marks in my head i went over to the Chromium site and requested a ne Issue, some hours later :
The repsonse from @tsepez from the chromium team was pretty clear :
„This is one of those cases where we’ve chosen to support broken pages rather than being strict about URL syntax.“
So in others words, it’s a wontfix.
What do you think about this issue ?
Let us know
All the best
Patrik Fehrenbach – IT-Securityguard