Jump to content
dekeeu

Nice story about recent GMail XSS

Recommended Posts

Posted

" Escaping is tricky, as demonstrated by a recent Gmail bug found by Roman Shafigullin.

First, what are the escaping rules in HTML? Surely you already know that < > and & have to be escaped into <, > and &. How about URLs? The browser will use percent decoding (e.g. %20 for space) to parse the URL.

Now how would you escape a user string in <a href="javascript:call('user string')">? It's JavaScript so JavaScript escaping rules apply as well. Among other things we want to avoid '. Would it be enough to escape ' with \x27? Unfortunately no.

To understand how to properly escape this, it's important to know which decoding the browser will apply and as importantly, in which order. The browser first HTML decodes the attribute, then URL decodes the whole string and lastly passes it to the JavaScript parser.

It means that:

<a href="javascript:call('%27-alert(1)-%27')">

is URL percent decoded to: javascript:call(''-alert(1)-'') and then passed to the JavaScript parser which interprets the code as an empty string '' followed by a call to alert(1).

This is obviously bad. Instead, we want to apply proper escaping, in order:

1) JavaScript escaping

2) URL percent encoding

3) HTML escaping

This bug was present in Gmail mobile UI at https://mail.google.com/mail/mu - yes, there are multiple UIs for some products!

As seen on Roman Shafigullin screenshot, the bug was triggered by sending an email with a bogus mailto:

<a href="mailto:test-01-%27-alert(1)-%27-test@test.com">test</a>

Gmail mobile parses the mailto and renders the link as:

<a href="javascript:_e({}, 'cvml', 'test-01-%27-alert(1)-%27');" target="_blank">test</a>

It looks fine, however as we discussed earlier the first thing the browser does is URL decoding so %27 is decoded into a single quote and as a result the alert breaks out of the string parameter:

javascript:_e({}, 'cvml', 'test-01-'-alert(1)-'');

The browser will execute alert(1) when the link is clicked. Oops!

To fix this, Gmail fixed the escaping to first JavaScript escape and second URL encode. Nice catch +Roman Shafigullin!? "

xss.png

Sursa: https://plus.google.com/u/0/+AlexisImperialLegrandGoogle/posts/f9gm2G2BH5g

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...