Thursday, June 14, 2012

Stored XSS in Google Sites


I was recently introduced to an interested project called Google Caja. Google Caja is basically a compiler/sandbox that makes user-supplied HTML/JavaScript/CSS safe to embed in your web app. Among other places, it is used in Google Sites and Yahoo Applications. The project is very interesting for a number of reasons from a security research standpoint, and one of those is that a bug in the compiler could lead to a stored XSS in Google sites.

So I played with it a bit to see if I can find any holes. I first found a few bugs that are not exploitable on Google Sites and reported those directly to the Google Caja team. These bugs are not yet fixed so I won't write about them at this time. However, when trying to exploit one of those bugs on Google Sites, I discovered another issue there related to the parsing of user-supplied HTML. This issue can be used to cause a stored XSS in sites.google.com.

In order to understand the issue, let's first look at how Google Sites handled some of the user-supplied HTML input.
Let's say that we entered something like this:

<noembed><![CDATA[ <script>alert(document.cookie)</script> ]]></noembed>

It would remain pretty much the same and the JavaScript would not get executed. This is the correct behavior as, in the noembed tag, HTML special characters are interpreted literally. Now, if we entered something like

<noembed><![CDATA[ </noembed><script>alert(document.cookie)</script> ]]></noembed>

The parsing would fail. This is again the correct behavior, because the browsers would interpret the first occurrence of </noembed> as the closing tag despite it being in the CDATA tag. Thus, if something like that passed unchanged, the script would get executed. The actual problem stems from having multiple CDATA tags in a single noembed tag (or other tags that interpret special HTML characters literally). So for example

<noembed><![CDATA[aaa]]><![CDATA[bbb]]></noembed>

would become

<noembed><![CDATA[aaabbb]]></noembed>

Considering everything written so far, it shouldn't be hard to combine it into a working exploit:

<noembed><![CDATA[ <]]><![CDATA[/noembed><script>alert(document.cookie)</script> ]]></noembed>

When parsing the HTML code above, the two CDATA blocks would get merged and, in doing so, a new closing </noembed> tag would be formed. Thus, the noembed tag would get closed before expected, and the content of the script tag would get executed. This is shown in the image below.



This issue was quickly resolved by the Google security team and now the HTML special characters are escaped even in noembed and similar tags. Thanks!

PS If you thought that my previous post about PRNG predictability in browsers is related to Google, I'll have to disappoint you - you'll have to wait a bit longer to find out just how I used that :-)

12 comments:

  1. The google analytics keyword not provided sometimes so we should keep our focus on that keywords that are most expensive and useful in gooogle.

    ReplyDelete
  2. This is often very a beautiful post. Firstly, i would choose to several thanks for swing stress on but association plays an enormous role in hosting aspect. Fantastic stuff.

    DedicatedHosting4u.com

    ReplyDelete
  3. Very useful information provided in this blog. concepts were explained in a detailed manner. Keep giving these types of informations. oracle training in chennai

    ReplyDelete
  4. Very useful information provided in this blog. concepts were explained in a detailed manner. Keep giving these types of informations دانلود آهنگ های ایرانی

    ReplyDelete
  5. Infycle Technologies, the best software training institute in Chennai offers the No.1 Python Certification in Chennai for tech professionals. Apart from the Python Course, other courses such as Oracle, Java, Hadoop, Selenium, Android, and iOS Development, Big Data will also be trained with 100% hands-on training. After the completion of training, the students will be sent for placement interviews in the core MNC's. Dial 7502633633 to get more info and a free demo.

    ReplyDelete
  6. The great website and information shared are also very appreciable. Spiderman Hoodie

    ReplyDelete
  7. Hi all! For any development team, it will be necessary from time to time to expand the team to work on individual projects. For this purpose it would be right to use the service of staff augmentation. It is worth noting that the benefits of staff augmentation are obvious for teams that work intermittently.

    ReplyDelete
  8. "Interesting topic! The unpredictability of math.random() across domains can pose challenges in predicting outcomes. Have you explored any specific strategies or tools to address this issue in cross-domain scenarios?"
    Best Data analytics courses in India

    ReplyDelete
  9. Thank you for sharing in depth knowledge and explanation on Stored XSS in Google Sites.
    Adwords marketing

    ReplyDelete
  10. The blog post https://attractgroup.com/blog/learn-the-basics-of-devops-introduction-and-software-development-models/ on Attract Group provides an insightful introduction to DevOps, highlighting its significance in modern software development. It effectively breaks down complex concepts, making them accessible to newcomers. The exploration of various software development models complements the DevOps overview, giving readers a holistic understanding. This resource is perfect for anyone looking to grasp the essentials of DevOps and its impact on improving collaboration and efficiency in tech projects.

    ReplyDelete