2009-05-03 00:05:35

Sat, 20 Sep 08 20:01:52 -0600

I have run a preliminary security analysis, testing the most common XSS vectors.

I have to say, I was quite saddened to learn that it was vulnerable to every inline anchor JavaScript obfuscation I could think of.

However, most of the other common XSS vectors failed.

The biggest problem was the nullbyte injection. Most browsers do not allow the nullbyte injection, but Chrome does (the other one I know of is IE).

There are limits to the injection in Chrome, for example, the nullbyte will not compromise an HMTL tag.
It Will however, compromise a URL, potentially bypassing website filters and website reporting systems, which could leave a user in danger of malicious or fraudulent links.

My personal recommendation at this point would be to not use Google Chrome until the bugs have been worked out, hopefully in the next release.

But, being the biggest Google fanboy on the planet, I will continue using it for my personal browsing.

Note, the script I used to test the XSS Vectors can be found http://humanbagel.com/XSS/index.php It is a very good tool for getting a basic understanding of your browser's weaknesses. NOTE: Unless you have JavaScript turned off, NO browser will be immune to all of these exploits.