Thursday, June 14, 2012

Stored XSS in Google Sites


I was recently introduced to an interested project called Google Caja. Google Caja is basically a compiler/sandbox that makes user-supplied HTML/JavaScript/CSS safe to embed in your web app. Among other places, it is used in Google Sites and Yahoo Applications. The project is very interesting for a number of reasons from a security research standpoint, and one of those is that a bug in the compiler could lead to a stored XSS in Google sites.

So I played with it a bit to see if I can find any holes. I first found a few bugs that are not exploitable on Google Sites and reported those directly to the Google Caja team. These bugs are not yet fixed so I won't write about them at this time. However, when trying to exploit one of those bugs on Google Sites, I discovered another issue there related to the parsing of user-supplied HTML. This issue can be used to cause a stored XSS in sites.google.com.

In order to understand the issue, let's first look at how Google Sites handled some of the user-supplied HTML input.
Let's say that we entered something like this:

<noembed><![CDATA[ <script>alert(document.cookie)</script> ]]></noembed>

It would remain pretty much the same and the JavaScript would not get executed. This is the correct behavior as, in the noembed tag, HTML special characters are interpreted literally. Now, if we entered something like

<noembed><![CDATA[ </noembed><script>alert(document.cookie)</script> ]]></noembed>

The parsing would fail. This is again the correct behavior, because the browsers would interpret the first occurrence of </noembed> as the closing tag despite it being in the CDATA tag. Thus, if something like that passed unchanged, the script would get executed. The actual problem stems from having multiple CDATA tags in a single noembed tag (or other tags that interpret special HTML characters literally). So for example

<noembed><![CDATA[aaa]]><![CDATA[bbb]]></noembed>

would become

<noembed><![CDATA[aaabbb]]></noembed>

Considering everything written so far, it shouldn't be hard to combine it into a working exploit:

<noembed><![CDATA[ <]]><![CDATA[/noembed><script>alert(document.cookie)</script> ]]></noembed>

When parsing the HTML code above, the two CDATA blocks would get merged and, in doing so, a new closing </noembed> tag would be formed. Thus, the noembed tag would get closed before expected, and the content of the script tag would get executed. This is shown in the image below.



This issue was quickly resolved by the Google security team and now the HTML special characters are escaped even in noembed and similar tags. Thanks!

PS If you thought that my previous post about PRNG predictability in browsers is related to Google, I'll have to disappoint you - you'll have to wait a bit longer to find out just how I used that :-)

19 comments:

aliyaa said...

The google analytics keyword not provided sometimes so we should keep our focus on that keywords that are most expensive and useful in gooogle.

john said...

Very much useful article. Kindly keep blogging

Java Training in Chennai

Java Online Training India

DedicatedHosting4u said...

This is often very a beautiful post. Firstly, i would choose to several thanks for swing stress on but association plays an enormous role in hosting aspect. Fantastic stuff.

DedicatedHosting4u.com

Elena Harper said...

Discover here
Discover here
Discover here
Discover here
Discover here
Discover here
Discover here
Discover here
Discover here
Discover here

Elena Harper said...

Discover here
Discover here
Discover here
Discover here
Discover here
Discover here
Discover here
Discover here
Discover here

Elena Harper said...

Discover here
Discover here
Discover here
Discover here

The India said...

iso 27001 certification services
iso 27001 certification in delhi
ISO 9001 Certification in Noida
iso 22000 certification in Delhi

The India said...

iso certification in noida
iso certification in delhi
ce certification in delhi
iso 14001 certification in delhi
iso 22000 certification cost
iso consultants in noida

The India said...

we have provide the best fridge repair service.
Washing Machine Repair In Faridabad
LG Washing Machine Repair In Faridabad
Videocon Washing Machine Service Centre In Faridabad
IFB Washing Machine service centre in faridabad
Samsung Washing Machine Repair In Faridabad
Washing Machine Repair in Noida
godrej washing machine repair in noida
whirlpool Washing Machine Repair in Noida
IFB washing Machine Repair in Noida
LG Washing Machine Repair in Noida

The India said...

we have provide the best ppc service.
ppc company in gurgaon
website designing company in Gurgaon
PPC company in Noida
seo company in gurgaon
PPC company in Mumbai
PPC company in Chandigarh
Digital Marketing Company

The India said...

Rice Bags Manufacturers
Pouch Manufacturers
wall putty bag manufacturers
fertilizer bag manufacturers
seed bag manufacturers
gusseted bag manufacturers
bopp laminated bags manufacturer
Lyrics with music

Pavel Co Ebele said...

Great Article. Thank you for sharing! Really an awesome post for every one.

IEEE Final Year projects Project Centers in Chennai are consistently sought after. Final Year Students Projects take a shot at them to improve their aptitudes, while specialists like the enjoyment in interfering with innovation. For experts, it's an alternate ball game through and through. Smaller than expected IEEE Final Year project centers ground for all fragments of CSE & IT engineers hoping to assemble. Final Year Project Domains for IT It gives you tips and rules that is progressively critical to consider while choosing any final year project point.

Spring Framework has already made serious inroads as an integrated technology stack for building user-facing applications. Spring Framework Corporate TRaining the authors explore the idea of using Java in Big Data platforms.
Specifically, Spring Framework provides various tasks are geared around preparing data for further analysis and visualization. Spring Training in Chennai

Patell Priya said...

Great post... The tips and the ideas given in the post seems to be very much informative and useful.
Tableau Training in Chennai
Tableau Certification
Oracle DBA Training in Chennai
Advanced Excle Training in Chennai
Graphic Design Courses in Chennai
Unix Training in Chennai
Social Media Marketing Courses in Chennai
Corporate Training in Chennai
Spark Training in Chennai
Pega Training in Chennai
Oracle Training in Chennai

Devi said...

Very useful information provided in this blog. concepts were explained in a detailed manner. Keep giving these types of informations. oracle training in chennai

John said...

Very useful information provided in this blog. concepts were explained in a detailed manner. Keep giving these types of informations دانلود آهنگ های ایرانی

pinoytambayan said...

Welcome to Advance Case Search at Sindh High Court. You can easily learn how to check case status on Case Search portal of Sindh High Court.

ram said...

Sharing the same interest, Infycle feels so happy to share our detailed information about all these courses with you all! Do check them out
Best Data training in chennai & get to know everything you want to about software trainings.

Devi said...

Get Big Data Certification in Chennai for making your career as a shining sun with Infycle Technologies. Infycle Technologies is the best Big Data training institute in Chennai, providing complete hands-on practical training of professional specialists in the field. In addition to that, it also offers numerous programming language tutors in the software industry such as Oracle, Java, Python, AWS, Hadoop, etc. Once after the training, interviews will be arranged for the candidates, so that, they can set their career without any struggle. Of all that, 200% placement assurance will be given here. To have the best career, call 7502633633 to Infycle Technologies and grab a free demo to know more.Grab Big Data Certification in Chennai | Infycle Technologies

Unknown said...

Want to do
Data Science Course in Chenna
i with Certification Exam? Catch the best features of Data Science training courses with Infycle Technologies, the best Data Science Training & Placement institutes in and around Chennai. Infycle offers the best hands-on training to the students with the revised curriculum to enhance their knowledge. In addition to the Certification & Training, Infycle offers placement classes for personality tests, interview preparation, and mock interviews for clearing the interviews with the best records. To have all it in your hands, dial 7504633633 for a free demo from the experts