-1

Recently I've been trying to escape sandbox Chrome OS for fun, bounties, etc. I found you can run straight system commands through chrome:// urls (such as displaying USB Detected message, or something). However, Google is notoriously good at XSS prevention and appears to have placed that into their chrome:// urls. I've gotten maddeningly close -- to the point where I could display and click on a javascript: link but it didn't work because chrome:// urls only allow script to run from within themselves, and javascript: is technically different.
Is there any chrome:// url that allows script injection? Can I configure some chrome://flags settings to access javascript: injection on a chrome:// url?

schroeder
  • 123,438
  • 55
  • 284
  • 319
thanoschimichan-ga
  • 1

1 Answers1

0

TL;DR

Is there any chrome:// url that allows script injection?

And be one of the many on their glory list? I assume people are getting paid for this.

I found you can run straight system commands through chrome:// urls

What system commands can one run specifically through an internal chrome page? date, cal, rm? This statement does contradict with the next sentences in question.

I've gotten maddeningly close -- to the point where I could display and click on a javascript: link but it didn't work

That's because you can't visit chrome:// prefixes from within a crafted page, this way nothing will happen when you click such urls in a static webpage.

Can I configure some chrome://flags settings to access javascript: injection on a chrome:// url?

javascript: handlers won't work just by directly putting them into the search bar, they must be activated from the source code, therefore a prefix and handler can't be combined together because as I already said handlers must be activated first.

Waves-n-masses
  • 11
  • 2
    dude, you literally just told me what i said – thanoschimichan-ga Feb 20 '20 at 19:30
  • so you're looking for a way to bypass the currently available xss protection by traveling around the flags with an eye on getting the `javascript:` working, what are your current results? – Waves-n-masses Feb 20 '20 at 19:45
  • that's not my goal, my goal is simply to execute my own code through chrome:// url.. i found my most likely ways are getting `javascript:` to work or simply finding an escape from user input – thanoschimichan-ga Feb 20 '20 at 20:50
  • 1
    @thanoschimichan-ga even if the answer tells you what you already know, I think the important point is that if it were possible, it would be a big issue, and the first place it would appear wouldn't be an answer on Stack Exchange. – multithr3at3d Feb 20 '20 at 22:50