Thursday, June 14, 2012

Stored XSS in Google Sites


I was recently introduced to an interested project called Google Caja. Google Caja is basically a compiler/sandbox that makes user-supplied HTML/JavaScript/CSS safe to embed in your web app. Among other places, it is used in Google Sites and Yahoo Applications. The project is very interesting for a number of reasons from a security research standpoint, and one of those is that a bug in the compiler could lead to a stored XSS in Google sites.

So I played with it a bit to see if I can find any holes. I first found a few bugs that are not exploitable on Google Sites and reported those directly to the Google Caja team. These bugs are not yet fixed so I won't write about them at this time. However, when trying to exploit one of those bugs on Google Sites, I discovered another issue there related to the parsing of user-supplied HTML. This issue can be used to cause a stored XSS in sites.google.com.

In order to understand the issue, let's first look at how Google Sites handled some of the user-supplied HTML input.
Let's say that we entered something like this:

<noembed><![CDATA[ <script>alert(document.cookie)</script> ]]></noembed>

It would remain pretty much the same and the JavaScript would not get executed. This is the correct behavior as, in the noembed tag, HTML special characters are interpreted literally. Now, if we entered something like

<noembed><![CDATA[ </noembed><script>alert(document.cookie)</script> ]]></noembed>

The parsing would fail. This is again the correct behavior, because the browsers would interpret the first occurrence of </noembed> as the closing tag despite it being in the CDATA tag. Thus, if something like that passed unchanged, the script would get executed. The actual problem stems from having multiple CDATA tags in a single noembed tag (or other tags that interpret special HTML characters literally). So for example

<noembed><![CDATA[aaa]]><![CDATA[bbb]]></noembed>

would become

<noembed><![CDATA[aaabbb]]></noembed>

Considering everything written so far, it shouldn't be hard to combine it into a working exploit:

<noembed><![CDATA[ <]]><![CDATA[/noembed><script>alert(document.cookie)</script> ]]></noembed>

When parsing the HTML code above, the two CDATA blocks would get merged and, in doing so, a new closing </noembed> tag would be formed. Thus, the noembed tag would get closed before expected, and the content of the script tag would get executed. This is shown in the image below.



This issue was quickly resolved by the Google security team and now the HTML special characters are escaped even in noembed and similar tags. Thanks!

PS If you thought that my previous post about PRNG predictability in browsers is related to Google, I'll have to disappoint you - you'll have to wait a bit longer to find out just how I used that :-)

13 comments:

aliyaa said...

The google analytics keyword not provided sometimes so we should keep our focus on that keywords that are most expensive and useful in gooogle.

john said...

Very much useful article. Kindly keep blogging

Java Training in Chennai

Java Online Training India

DedicatedHosting4u said...

This is often very a beautiful post. Firstly, i would choose to several thanks for swing stress on but association plays an enormous role in hosting aspect. Fantastic stuff.

DedicatedHosting4u.com

Elena Harper said...

Discover here
Discover here
Discover here
Discover here
Discover here
Discover here
Discover here
Discover here
Discover here
Discover here

Elena Harper said...

Discover here
Discover here
Discover here
Discover here
Discover here
Discover here
Discover here
Discover here
Discover here

Elena Harper said...

Discover here
Discover here
Discover here
Discover here

The India said...

iso 27001 certification services
iso 27001 certification in delhi
ISO 9001 Certification in Noida
iso 22000 certification in Delhi

The India said...

iso certification in noida
iso certification in delhi
ce certification in delhi
iso 14001 certification in delhi
iso 22000 certification cost
iso consultants in noida

The India said...

we have provide the best fridge repair service.
Washing Machine Repair In Faridabad
LG Washing Machine Repair In Faridabad
Videocon Washing Machine Service Centre In Faridabad
IFB Washing Machine service centre in faridabad
Samsung Washing Machine Repair In Faridabad
Washing Machine Repair in Noida
godrej washing machine repair in noida
whirlpool Washing Machine Repair in Noida
IFB washing Machine Repair in Noida
LG Washing Machine Repair in Noida

The India said...

we have provide the best ppc service.
ppc company in gurgaon
website designing company in Gurgaon
PPC company in Noida
seo company in gurgaon
PPC company in Mumbai
PPC company in Chandigarh
Digital Marketing Company

The India said...

Rice Bags Manufacturers
Pouch Manufacturers
wall putty bag manufacturers
fertilizer bag manufacturers
seed bag manufacturers
gusseted bag manufacturers
bopp laminated bags manufacturer
Lyrics with music

Pavel Co Ebele said...

Great Article. Thank you for sharing! Really an awesome post for every one.

IEEE Final Year projects Project Centers in Chennai are consistently sought after. Final Year Students Projects take a shot at them to improve their aptitudes, while specialists like the enjoyment in interfering with innovation. For experts, it's an alternate ball game through and through. Smaller than expected IEEE Final Year project centers ground for all fragments of CSE & IT engineers hoping to assemble. Final Year Project Domains for IT It gives you tips and rules that is progressively critical to consider while choosing any final year project point.

Spring Framework has already made serious inroads as an integrated technology stack for building user-facing applications. Spring Framework Corporate TRaining the authors explore the idea of using Java in Big Data platforms.
Specifically, Spring Framework provides various tasks are geared around preparing data for further analysis and visualization. Spring Training in Chennai

Patell Priya said...

Great post... The tips and the ideas given in the post seems to be very much informative and useful.
Tableau Training in Chennai
Tableau Certification
Oracle DBA Training in Chennai
Advanced Excle Training in Chennai
Graphic Design Courses in Chennai
Unix Training in Chennai
Social Media Marketing Courses in Chennai
Corporate Training in Chennai
Spark Training in Chennai
Pega Training in Chennai
Oracle Training in Chennai