Jump to content
florin_darck

Interesting XSS story by Google Vulnerability Reward Program

Recommended Posts

Posted

Today’s story is an XSS with an interesting exploit on https://www.google.com/zeitgeist/2012/. It was reported by +Tomasz Bojarski.

Zeitgeist 2012 uses the fragment identifier (the part of the URL after #) to load a snippet of HTML from a specified source and inserts it in the DOM.

For instance

https://www.google.com/zeitgeist/2012/#the-world

will load

https://www.google.com/zeitgeist/2012/partials/the-world.html

So… could we make it load arbitrary URLs?

Good question! Alas, this won’t work, because the URL is always constructed relative to the “partials/” directory:

'partials/' + <fragment> + '.html'

But, could we use ../ to load another file in a different directory?

Well, not exactly: Zeitgeist’s splits on "/", and then just takes the first part of the tokenized string. But not all is lost: +Tomasz Bojarski noticed that Chrome and Internet Explorer both replace "\" with "/" in URLs. So, he could use the "..\" pattern to include files from other directories, say:

https://www.google.com/zeitgeist/2012/#\..\..\..\..\robots.txt? 

Now we have a way to load arbitrary files from www.google.com; Zeitgeist will simply insert them into the DOM as HTML.

So how could we load an XSS payload instead of robots.txt?

Of course, Tomasz didn’t stop there. He also discovered that Google Correlate allows users to upload structured data and later download it as a CSV file.

You probably know where this is going: CSV file format doesn’t support any canonical way of escaping characters such as angle brackets, so Correlate serves them as-is. By itself, that’s not a problem - but if the CSV file is inserted as HTML into another document, we have a straightforward XSS bug:

https://www.google.com/zeitgeist/2012/#\..\..\..\..\..\..\trends\correlate\csv?e=id%3aCSVID&t=weekly&p=us&

We worked with both Zeitgeist and Correlate to fix this. First, we restricted what the fragment value can be. Secondly, the Correlate team decided to HTML escape the contents of the CSV file for good measure, too.

We think this was an interesting exploit that combined a seemingly harmless bug with a legitimate feature to carry out XSS. Nice catch Tomasz!?

Source : https://plus.google.com/u/0/+AlexisImperialLegrandGoogle/posts/gJDrVSuteUT

  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...