Pages

Sunday, February 27, 2011

Google Security Vulnerability Reward Program: Google Website Optimizer - Stored XSS

Overview
Google WebsiteOptimizer Google's free website testing and optimization tool, missed a very important check when people create their experiments. additionally they made it more easier to exploit.

What Had to be done?

The first step was creating a new experiment I preferred A/B Experiment, then I had an option to add URLs to verify my website is real, as first I inserted some string "BenHayak" for example and pressed continue.
After that screen I had an option to throw the dirty job over to my "Webmaster" - "Your Webmaster will install and do the dirty work for you ;)". Great they give me a link to Google domain validation page with links to BenHayak when I clicked it I noticed it opens a page with only "BenHayak" in the address bar.
Then I made another Experiment filled with many javascript:alert('BenHayak'); and sent this stored xss report alog with recommendation to always check for "http://" in the input.

POC link: Click to trigger the Alert stored xss

Image triggering the xss:


I appreciate the opportunity to preserve my skills and gain some more experience
Thank you Google security team.

Updates

Well, It's been couple of weeks since I wanted to update the blog with
new vulnerabilities I found in Google products.
But, as for now these bugs aren't fixed yet,
I will publish it soon, after Google will fix the issues.

Best regards,
Ben Hayak

Thursday, February 17, 2011

Google Security Vulnerability Reward Program: Google Bookmarks Stored XSS

Overview
Google Bookmarks lets you create an online bookmark lists. I found this one in the "New Section" function. In order for this XSS to trigger though, the victim had to edit your section.

What Had to be done?

The first step was creating a new bookmark list. After I got that done, I created a New section with Image tag poisioned with XSS payload. The final step was inviting the victim by giving him/her access to my bookmarks list.



This issue has been fixed by Google security team.

I appreciate the opportunity to preserve my skills and gain some more experience
Thank you Google security team.

Wednesday, February 16, 2011

Google Security Vulnerability Reward Program: Google Finance Stored XSS

Overview
Google Finance lets you create Portfolios. After a few tries I figured a method to 
Trigger XSS using portfolio name.

What Had to be done?

OK, at First I used different payloads in the Portfolio name but nothing triggered,
but after some more research I found that after I create my Portfolio payload and click on one of these Deposit / Withdraw my Portfolio name is inserted into this function
function initPage() {
initVars();
dview = google.finance.portfolio.init({
id: '8',
expected_hash: 'U66jb3VTR2ZPUjgtaXJqaXRZc2s33VNmVWdjfDEyOTc4NzE22NDk',
edition: 'us',
name: '--XSS PAYLOAD--',
currency: 'USD'
}, true,
'/finance/s/7skxqAM7Z8M/chart9.swf?hl=en&gl=us',
true
,
false,
''
);
name: '--XSS PAYLOAD--' , so I inserted this payload as portfolio name: </script><body onload=alert(1)>  there was a filter that when you insert this </script> the server removed everything before the </script>


I appreciate the opportunity to preserve my skills and gain some more experience
Thank you Google security team.