Google Chrome Security: Multiple leading slashes in URLs may confuse some server-side XSS filters

Today i  reported a strange bug to the devs of the Chromium Project, look at the following lines of code :

<html>
<script src="http:\\\\\\\\\\\\monitor.it-securityguard.com\\\\\\\\\\\\\test.js"> </script>
</html>

 

You see those leading slashes ? Do you think that this is an valid URL a Browser would process ? In fact it does not look like a valid one, but for Google  Chrome it is. As you can see in the picture the Url gets executed regardless of how many backslashes there were added.

Bildschirmfoto 2014-06-17 um 20.25.19
Feel free to try this out on your own, we set-up a site, head over to monitor.it-securityguard.com/test2.html and  inspect the Javascript Console on your Google Chrome browser, you will see that the simple Javascript message (console.log(‘this is weird’);) has been executed. This technique also works if you only use one slash, a pretty weird szenario imho. If you check this on  Firefox the URL and the correspondig Javascript won’t get executed
Bildschirmfoto 2014-06-17 um 20.36.26
The questions arising at this point should be : Why does Google Chrome treats URL different then other Browsers ? Is this a security issue which could bypass XSS Filters ? With all this question marks in my head i went over to the Chromium site and requested a ne Issue, some hours later :
The repsonse from @tsepez from the chromium team was pretty clear :

“This is one of those cases where we’ve chosen to support broken pages rather than being strict about URL syntax.”

So in others words, it’s a wontfix.

What do you think about this issue ?

Let us know

All the best

Patrik Fehrenbach – IT-Securityguard

de_DEGerman