Google Chrome 31.0 Webkit Auditor Bypass

`# Title: Chrome 31.0 Webkit XSS Auditor Bypass  
# Product: Google Chrome  
# Author: Rafay Baloch @rafaybaloch And PEPE Vila  
  
  
============  
Description  
============  
  
Chrome XSS Auditor is a client side XSS filter used by google chrome  
to protect against XSS attacks. Chrome XSS filter has already been beaten  
a lot of times and there still exists lots of contexts where it fails.  
  
============  
Vulnerability  
============  
  
The vulnerability lies in the way people escape certain characters, while  
replacing certain characters with characters  
that would still yeild a valid javascript syntax. For instance, stripping  
out Single quotes, Double quotes etc with - would yield a valid javascript  
syntax and since the response won't match the output parameter.  
  
================  
Proof of concept  
================  
  
The following is a challenge setup by a gentle man with a nick "Strong boi":  
  
http://12342.site11.com/level2.php  
  
The expected solution was to use a well known unfixed bug in chrome and  
using both parameters a and b to execute the javascript. However, we  
noticed a different behaviour, when we injected an apostrophe. It was being  
converted to - and hence yielding a valid syntax and executing the  
javascript. So, this would work whenever the server side application  
would try replacing special characters to - or anything similar that  
would make the syntax valid.  
  
http://12342.site11.com/level2.php?a=%22%3E%3Cscript%3E'alert(0);%3C/script%3E  
  
Output Source:  
  
First search:<input type="text" name="a"  
value="<script>1-alert(0);</script>"/><br>  
`