Thursday, June 14, 2012

Stored XSS in Google Sites


I was recently introduced to an interested project called Google Caja. Google Caja is basically a compiler/sandbox that makes user-supplied HTML/JavaScript/CSS safe to embed in your web app. Among other places, it is used in Google Sites and Yahoo Applications. The project is very interesting for a number of reasons from a security research standpoint, and one of those is that a bug in the compiler could lead to a stored XSS in Google sites.

So I played with it a bit to see if I can find any holes. I first found a few bugs that are not exploitable on Google Sites and reported those directly to the Google Caja team. These bugs are not yet fixed so I won't write about them at this time. However, when trying to exploit one of those bugs on Google Sites, I discovered another issue there related to the parsing of user-supplied HTML. This issue can be used to cause a stored XSS in sites.google.com.

In order to understand the issue, let's first look at how Google Sites handled some of the user-supplied HTML input.
Let's say that we entered something like this:

<noembed><![CDATA[ <script>alert(document.cookie)</script> ]]></noembed>

It would remain pretty much the same and the JavaScript would not get executed. This is the correct behavior as, in the noembed tag, HTML special characters are interpreted literally. Now, if we entered something like

<noembed><![CDATA[ </noembed><script>alert(document.cookie)</script> ]]></noembed>

The parsing would fail. This is again the correct behavior, because the browsers would interpret the first occurrence of </noembed> as the closing tag despite it being in the CDATA tag. Thus, if something like that passed unchanged, the script would get executed. The actual problem stems from having multiple CDATA tags in a single noembed tag (or other tags that interpret special HTML characters literally). So for example

<noembed><![CDATA[aaa]]><![CDATA[bbb]]></noembed>

would become

<noembed><![CDATA[aaabbb]]></noembed>

Considering everything written so far, it shouldn't be hard to combine it into a working exploit:

<noembed><![CDATA[ <]]><![CDATA[/noembed><script>alert(document.cookie)</script> ]]></noembed>

When parsing the HTML code above, the two CDATA blocks would get merged and, in doing so, a new closing </noembed> tag would be formed. Thus, the noembed tag would get closed before expected, and the content of the script tag would get executed. This is shown in the image below.



This issue was quickly resolved by the Google security team and now the HTML special characters are escaped even in noembed and similar tags. Thanks!

PS If you thought that my previous post about PRNG predictability in browsers is related to Google, I'll have to disappoint you - you'll have to wait a bit longer to find out just how I used that :-)

11 comments:

aliyaa said...

The google analytics keyword not provided sometimes so we should keep our focus on that keywords that are most expensive and useful in gooogle.

DedicatedHosting4u said...

This is often very a beautiful post. Firstly, i would choose to several thanks for swing stress on but association plays an enormous role in hosting aspect. Fantastic stuff.

DedicatedHosting4u.com

Patell Priya said...

Great post... The tips and the ideas given in the post seems to be very much informative and useful.
Tableau Training in Chennai
Tableau Certification
Oracle DBA Training in Chennai
Advanced Excle Training in Chennai
Graphic Design Courses in Chennai
Unix Training in Chennai
Social Media Marketing Courses in Chennai
Corporate Training in Chennai
Spark Training in Chennai
Pega Training in Chennai
Oracle Training in Chennai

Devi said...

Very useful information provided in this blog. concepts were explained in a detailed manner. Keep giving these types of informations. oracle training in chennai

John said...

Very useful information provided in this blog. concepts were explained in a detailed manner. Keep giving these types of informations دانلود آهنگ های ایرانی

INFYCLE TECHNOLOGIES said...

Infycle Technologies, the best software training institute in Chennai offers the No.1 Python Certification in Chennai for tech professionals. Apart from the Python Course, other courses such as Oracle, Java, Hadoop, Selenium, Android, and iOS Development, Big Data will also be trained with 100% hands-on training. After the completion of training, the students will be sent for placement interviews in the core MNC's. Dial 7502633633 to get more info and a free demo.

saas said...

binance güvenilir mi
instagram takipçi satın al
takipçi satın al
instagram takipçi satın al
shiba coin hangi borsada
shiba coin hangi borsada
tiktok jeton hilesi
is binance safe
is binance safe

eddielydon said...

The great website and information shared are also very appreciable. Spiderman Hoodie

MaksimMB said...

Hi all! For any development team, it will be necessary from time to time to expand the team to work on individual projects. For this purpose it would be right to use the service of staff augmentation. It is worth noting that the benefits of staff augmentation are obvious for teams that work intermittently.

BEST DATA ANALYTICS COURSE IN INDIA said...

"Interesting topic! The unpredictability of math.random() across domains can pose challenges in predicting outcomes. Have you explored any specific strategies or tools to address this issue in cross-domain scenarios?"
Best Data analytics courses in India

Adwords said...

Thank you for sharing in depth knowledge and explanation on Stored XSS in Google Sites.
Adwords marketing