The sandbox protection in Chrome is implemented via the concept of content sandboxing, which prevents untrusted content (such as XSS attacks) from executing with system privileges. Prior to Chrome version 106, if a web application allowed for inline JavaScript execution, it needed to be validated with a web application security test (WAST). This was particularly relevant for web applications that allowed JavaScript code to be executed within HTML tags. In Chrome version 106, a new feature called JSint was introduced. JSint enabled Chrome to validate JavaScript code against a whitelist of warning messages. As a result of the new validation process, if a web application allowed for inline JavaScript execution, it needed to be validated with a WAST. This process of validation was not enforced by default.
CVE-2022-3308 - Sandbox Protection Bypass
In Chrome version 106, a new feature called JSint was introduced. This enabled Chrome to validate JavaScript code against a whitelist of warning messages. Even though JSint is not enabled by default, it allows for validation of inline JavaScript execution. If a web application allowed for inline JavaScript execution, it needed to be validated with a WAST. As a result of the new validation process, if a web application allowed for inline JavaScript execution, it needed to be validated with a WAST. This means that web applications that were validated with JSint (and thus allowed inline JavaScript execution) are vulnerable to bypassing the sandbox protection in Chrome.
Vulnerability overview
A security researcher discovered that the sandbox protection in Chrome was less effective than intended. This vulnerability allowed for untrusted content to execute with system privileges.
This vulnerability is rated as a critical severity because it allowed for an attacker to perform privileged operations without explicit user consent. If exploited, this vulnerability could have resulted in a compromise of user privacy, data modification, or even remote code execution on behalf of the web application itself.
CVE-2022-3309
: How to prevent XSS attacks
To prevent XSS attacks from being executed with system privileges, a web application needs to be validated with a WAST. This process of validation was not enforced by default in Chrome version 106. To ensure that the validation process is enforced after the release of Chrome version 106, set the new flag: "enable_sandbox_style_checks" in chrome://flags as shown below:
# enable_sandbox_style_checks=true
CVE-2022-3310
The sandbox protection in Chrome is implemented via the concept of content sandboxing, which prevents untrusted content from executing with system privileges. Prior to Chrome version 106, if a web application allowed for inline JavaScript execution, it needed to be validated with a web application security test (WAST). Under certain conditions, this requirement was ignored and under other conditions, the validation of inline JavaScript execution was enforced. In some cases, this enforcement process could prevent a web application from executing inline scripts.
CVE-2022-3311
As a result of the introduction of JSint, inline JavaScript execution in web applications became vulnerable to XSS attacks. The vulnerability was mitigated by disabling JSint, which is disabled by default.
Timeline
Published on: 11/01/2022 20:15:00 UTC
Last modified on: 12/09/2022 15:48:00 UTC