I was recently introduced to an interested project called Google Caja. Google Caja is basically a compiler/sandbox that makes user-supplied HTML/JavaScript/CSS safe to embed in your web app. Among other places, it is used in Google Sites and Yahoo Applications. The project is very interesting for a number of reasons from a security research standpoint, and one of those is that a bug in the compiler could lead to a stored XSS in Google sites.
So I played with it a bit to see if I can find any holes. I first found a few bugs that are not exploitable on Google Sites and reported those directly to the Google Caja team. These bugs are not yet fixed so I won't write about them at this time. However, when trying to exploit one of those bugs on Google Sites, I discovered another issue there related to the parsing of user-supplied HTML. This issue can be used to cause a stored XSS in sites.google.com.
In order to understand the issue, let's first look at how Google Sites handled some of the user-supplied HTML input.
Let's say that we entered something like this:
<noembed><![CDATA[ <script>alert(document.cookie)</script> ]]></noembed>
It would remain pretty much the same and the JavaScript would not get executed. This is the correct behavior as, in the noembed tag, HTML special characters are interpreted literally. Now, if we entered something like
<noembed><![CDATA[ </noembed><script>alert(document.cookie)</script> ]]></noembed>
The parsing would fail. This is again the correct behavior, because the browsers would interpret the first occurrence of </noembed> as the closing tag despite it being in the CDATA tag. Thus, if something like that passed unchanged, the script would get executed. The actual problem stems from having multiple CDATA tags in a single noembed tag (or other tags that interpret special HTML characters literally). So for example
<noembed><![CDATA[aaa]]><![CDATA[bbb]]></noembed>
would become
<noembed><![CDATA[aaabbb]]></noembed>
Considering everything written so far, it shouldn't be hard to combine it into a working exploit:
<noembed><![CDATA[ <]]><![CDATA[/noembed><script>alert(document.cookie)</script> ]]></noembed>
When parsing the HTML code above, the two CDATA blocks would get merged and, in doing so, a new closing </noembed> tag would be formed. Thus, the noembed tag would get closed before expected, and the content of the script tag would get executed. This is shown in the image below.
This issue was quickly resolved by the Google security team and now the HTML special characters are escaped even in noembed and similar tags. Thanks!
PS If you thought that my previous post about PRNG predictability in browsers is related to Google, I'll have to disappoint you - you'll have to wait a bit longer to find out just how I used that :-)
45 comments:
Wow that was strange. I just wrote an really long comment
but after I clicked submit my comment didn't appear. Grrrr... well I'm
not writing all that over again. Anyway, just wanted
to say wonderful blog!
Feel free to visit my blog ... http://wiki.0zapftis.info/index.php?title=Benutzer:TamjHxw
My page: wechsel von der privaten in die gesetzliche krankenkasse
Generally I don't learn post on blogs, however I would like to say that this write-up very forced me to check out and do it! Your writing taste has been amazed me. Thanks, very nice post.
Feel free to surf to my blog; an beitrag kv
Way cool! Some very valid points! I appreciate you writing this write-up plus the
rest of the site is also very good.
my web site: krankenkasse im vergleich
I will immediately grasp your rss as I can not to find your e-mail subscription link or e-newsletter
service. Do you've any? Please let me recognize in order that I may just subscribe. Thanks.
Also visit my page ... girokonto trotz negativer schufa
Have you ever thought about adding a little bit more than just your
articles? I mean, what you say is important and everything.
Nevertheless think about if you added some great visuals or videos to give your posts more, "pop"!
Your content is excellent but with images and videos, this
blog could definitely be one of the best in its niche.
Superb blog!
my blog post what is adsense
Do you mind if I quote a few of your posts as long
as I provide credit and sources back to your blog?
My blog is in the very same niche as yours and my users would definitely benefit from a lot of the information you provide here.
Please let me know if this okay with you. Thanks!
my site Best Student Loan Consolidation 2012
Also see my webpage > student loan network private loan consolidation
What i don't realize is in fact how you are not actually much more smartly-appreciated than you may be now. You are very intelligent. You recognize thus considerably in relation to this subject, produced me personally consider it from so many various angles. Its like men and women are not interested unless it is one thing to accomplish with Girl gaga! Your individual stuffs great. All the time handle it up!
Feel free to surf to my blog post resell host
This is a topic that's close to my heart... Take care! Where are your contact details though?
Feel free to visit my web page: beitragsvergleich private krankenversicherung
I'm now not positive where you are getting your information, however great topic. I must spend a while studying much more or figuring out more. Thanks for great information I used to be searching for this information for my mission.
My web page; los angeles search engine optimization
Hello! I'm at work surfing around your blog from my new iphone 3gs! Just wanted to say I love reading your blog and look forward to all your posts! Keep up the superb work!
My web site ... online kaufen schuhe
my website :: designer outlets online
Awesome issues here. I'm very glad to peer your article. Thanks so much and I am having a look ahead to touch you. Will you kindly drop me a e-mail?
Also visit my website; auto refinance for bad credit
Also see my site - Bad Credit Home Mortage
I am regular reader, how are you everybody? This article posted at this
website is really good.
Feel free to surf to my web page - from affiliate programs
I was wondering if you ever considered changing the layout of your site?
Its very well written; I love what youve got to say. But maybe you could
a little more in the way of content so people could connect with it better.
Youve got an awful lot of text for only having 1 or two pictures.
Maybe you could space it out better?
Here is my site; freiwilige krankenversicherung
my webpage: private krankenkassen
Nice weblog right here! Also your web site so
much up very fast! What web host are you the usage of?
Can I get your affiliate hyperlink for your host?
I desire my web site loaded up as fast as yours lol
Also visit my web page :: kredit auch mit schufa eintrag
I loved as much as you'll receive carried out right here. The sketch is tasteful, your authored subject matter stylish. nonetheless, you command get bought an nervousness over that you wish be delivering the following. unwell unquestionably come more formerly again as exactly the same nearly very often inside case you shield this increase.
Also visit my web site: beiträge gesetzliche krankenkassen
Hi there! Do you know if they make any plugins to help with SEO?
I'm trying to get my blog to rank for some targeted keywords but I'm not
seeing very good success. If you know of any please share.
Thank you!
Feel free to visit my web page ... private krankenversicherung günstiger als gesetzliche
my web page - raus aus der privaten krankenkasse
Keep this going please, great job!
My homepage: seo pricing
certainly like your website but you need to take a look at
the spelling on several of your posts. Many of them are rife
with spelling problems and I to find it very troublesome to
tell the truth however I will surely come back again.
My weblog: privatekrankenversicherung
My web site: student private krankenversicherung
Hello excellent blog! Does running a blog like this require a massive amount work?
I have virtually no expertise in computer programming however I
had been hoping to start my own blog in the near future.
Anyways, if you have any suggestions or tips for new blog owners please share.
I understand this is off subject nevertheless I simply needed to ask.
Kudos!
Here is my blog: private krankenversicherung existenzgründer
Your means of describing all in this paragraph is really
pleasant, every one can without difficulty know it,
Thanks a lot.
Feel free to visit my webpage: reseller hosting plan
Very nice post. I just stumbled upon your blog and wanted to say that I have
truly enjoyed browsing your blog posts. In any case I will be subscribing to your
feed and I hope you write again soon!
Feel free to surf to my page - good stay at home jobs for moms
Excellent article! We are linking to this particularly great article on our site.
Keep up the good writing.
My web site: best reseller Hosting
my web page :: The Best Hosting
This article will assist the internet visitors for
setting up new web site or even a blog from start to end.
Also visit my blog ... privaten krankenkasse
Hi everyone, it's my first go to see at this site, and article is really fruitful in support of me, keep up posting these articles.
Feel free to visit my site Vergleich Gesetzlicher Krankenkassen
My web site > arbeitnehmerbeitrag zur privaten krankenkasse
It's very easy to find out any topic on web as compared to textbooks, as I found this article at this website.
Here is my webpage :: privat Krankenversicherung Vergleich
Nice post. I was checking constantly this blog and I'm impressed! Extremely useful info specially the last part :) I care for such information much. I was looking for this particular info for a very long time. Thank you and best of luck.
Also visit my webpage ... puerto rico all inclusive
I have read so many articles or reviews concerning the blogger lovers
except this post is actually a good paragraph, keep it up.
Take a look at my web blog wechsel der krankenkasse
Thanks for finally talking about > "Stored XSS in Google Sites"
< Liked it!
Feel free to surf to my site; arbeitgeberzuschuss
private krankenversicherung
With havin so much written content do you ever run into any issues of plagorism or copyright infringement?
My blog has a lot of unique content I've either created myself or outsourced but it seems a lot of it is popping it up all over the web without my authorization. Do you know any ways to help reduce content from being stolen? I'd truly
appreciate it.
Look at my blog private Krankenversicherung Bedingungen
Nice post. I learn something new and challenging on sites
I stumbleupon every day. It's always useful to read content from other writers and practice something from other websites.
my blog post :: immobilien kredit
Nice post. I learn something new and challenging on sites I stumbleupon every day.
It's always useful to read content from other writers and practice something from other websites.
Also visit my blog post immobilien kredit
My webpage: kredit ohne schufa auskunft sofort
I read this post fully on the topic of the comparison of newest and preceding technologies, it's awesome article.
Feel free to surf to my web-site ... make money clickbank
My page - clickbank new products
Appreciate this post. Let me try it out.
Feel free to surf to my blog Debt Consolidation Credit Card
This is really interesting, You're a very skilled blogger. I've joined your rss feed and look forward to seeking
more of your magnificent post. Also, I have shared your site
in my social networks!
Also visit my site :: work at home jobs scams
My web site - canadian work from home jobs
I love the knowledge on your web sites. Thank you so much! i SUCK i KNOW
Howdy! This is kind of off topic but I need some advice from
an established blog. Is it hard to set up your own blog?
I'm not very techincal but I can figure things out pretty fast. I'm thinking about making my own
but I'm not sure where to start. Do you have any tips or suggestions? Appreciate it
Check out my homepage :: how to find a work from home job
It's truly a great and useful piece of info. I'm satisfied
that you just shared this useful info with us. Please keep us up to date like this.
Thanks for sharing.
Feel free to surf to my page: Stiftung Warentest Krankenversicherung
Have you ever considered about adding a little bit more than just your articles?
I mean, what you say is fundamental and all. Nevertheless think about
if you added some great graphics or videos to give
your posts more, "pop"! Your content is excellent but with images and videos, this site could undeniably be one of the greatest in its niche.
Wonderful blog!
Stop by my web blog :: refinancing home loan bad credit
Very energetic post, I enjoyed that a lot. There has to be a part Two?
Also visit my web site just click the up coming internet site
A lot of us who are under constant pressure tend to eat too much and do
not take good care of their bodies. Even
if your small business doesn't have some sort of refrigerator (a rarity today) you can choose vegetable and fruit that do not even require refrigeration. These tips are followed by every pregnant woman all around the world but remember whatever you do, you should first check with your gynecologist so that there is no complication in your pregnancy.
Also visit my blog :: fun fitness tips and facts
The new tablet would be a further extension of these concepts and
yet another step into the future of computing for Apple.
The effects of what they see, read and hear are having a devastating affect on our society today.
Thus they can choose from the many available sources.
My page - http://bnn.kz/index.php?do=/profile-11131/info
I am not sure where you are getting your info, but good topic.
I needs to spend some time learning much more or understanding more.
Thanks for excellent info I was looking for this
info for my mission.
Feel free to surf to my page Biotechnology
An excellent settle of trainers, maybe not one of the most gorgeous, not are generally, nor is the company name, still it capability away craving you to peregrination life story, Christian Louboutin Shoes
be converted into like the pleasure shoes flop to irregularly, it is possible that desired,still injured indeed.http://www.getasicsaustralia.com
A lay of the land you desperate straits encountered, walked up-right anterior to the splendour cabinets in countless varieties shoes you intention get the drift overwhelming, down to the ground to over. The realize value is appropriate isn't beautiful, like too costly, cordial upfront fashion, guess good-looking men and better half that regard as old-fashioned ... to be unequivocally thrilled with unaffectedly difficult. Pick to arrogate, in the long run unquestionable on a duo, dress a pair of days only to tumble to foot show, or no path to set off them their clothes,Christian Louboutin Sale
the reactionary course of action to about this time? To insist upon up'd somewhat nociceptive to have need of to wear?
Hi! I know this is somewhat off topic but I was wondering if you knew where
I could locate a captcha plugin for my comment form? I'm using the same blog platform as yours and I'm having trouble finding one?
Thanks a lot!
Here is my webpage printable pistol targets
After I originally commented I seem to have
clicked the -Notify me when new comments are added- checkbox and
now every time a comment is added I recieve 4 emails with the same comment.
Perhaps there is an easy method you can remove me from that
service? Thanks a lot!
Feel free to surf to my weblog; latest world news
Post a Comment