florin_darck Posted February 22, 2014 Report Share Posted February 22, 2014 Today’s story is an XSS with an interesting exploit on https://www.google.com/zeitgeist/2012/. It was reported by +Tomasz Bojarski.Zeitgeist 2012 uses the fragment identifier (the part of the URL after #) to load a snippet of HTML from a specified source and inserts it in the DOM.For instance https://www.google.com/zeitgeist/2012/#the-world will loadhttps://www.google.com/zeitgeist/2012/partials/the-world.htmlSo… could we make it load arbitrary URLs?Good question! Alas, this won’t work, because the URL is always constructed relative to the “partials/” directory: 'partials/' + <fragment> + '.html'But, could we use ../ to load another file in a different directory?Well, not exactly: Zeitgeist’s splits on "/", and then just takes the first part of the tokenized string. But not all is lost: +Tomasz Bojarski noticed that Chrome and Internet Explorer both replace "\" with "/" in URLs. So, he could use the "..\" pattern to include files from other directories, say:https://www.google.com/zeitgeist/2012/#\..\..\..\..\robots.txt? Now we have a way to load arbitrary files from www.google.com; Zeitgeist will simply insert them into the DOM as HTML.So how could we load an XSS payload instead of robots.txt?Of course, Tomasz didn’t stop there. He also discovered that Google Correlate allows users to upload structured data and later download it as a CSV file.You probably know where this is going: CSV file format doesn’t support any canonical way of escaping characters such as angle brackets, so Correlate serves them as-is. By itself, that’s not a problem - but if the CSV file is inserted as HTML into another document, we have a straightforward XSS bug: https://www.google.com/zeitgeist/2012/#\..\..\..\..\..\..\trends\correlate\csv?e=id%3aCSVID&t=weekly&p=us&We worked with both Zeitgeist and Correlate to fix this. First, we restricted what the fragment value can be. Secondly, the Correlate team decided to HTML escape the contents of the CSV file for good measure, too.We think this was an interesting exploit that combined a seemingly harmless bug with a legitimate feature to carry out XSS. Nice catch Tomasz!?Source : https://plus.google.com/u/0/+AlexisImperialLegrandGoogle/posts/gJDrVSuteUT 1 Quote Link to comment Share on other sites More sharing options...
