Monday, September 19, 2016

Combination of techniques lead to DOM Based XSS in Google.



Hello all!

Its been a long time since I blogged about my finding, so today I'm going to post about one of my favorite finds in Google this year. (2016).

Last July, I found DOM based XSS while surfing through Google sub domains.
The most important thing about this find is that I was able to activate the XSS via Clickjacking.
Before I continue, I just wanted to say that I'm really don't understand why companies put Clickjacking out-of-scope, maybe they don't know how clickjacking works or what is the real impact of such attack.

Anyway, I was looking for some sub domains in Google and I came across earthengine.google.com, I started to see if there're any sub-domains or any pages that I can look and find interesting issues. 
After 10 mins I came across the following subdomain, explorer.earthengine.google.com, this subdomain let you explore maps by heat/cold and other parameters.

I found parameter called Class which give you some attributes that you can set to see the earth in other ways of colors/waters and etc.
Once I created this class the name was 'Class Untitled' so as automatic way, I set it as simplest vector <img-onload-alert(1)> as a result pop up came up.
Cool and not cool, once the name saved the HTML tags were removed. Once I refreshed the page nothing really happened. 

I tried to figure out what can lead to that XSS and I read some JS files and tried to figure the DOM of the page and I came across that once you focus/unfocus the field, the XSS will activate.

So what I got so far?

  • The name of the class extract the HTML tags once it saved.
  • The focus/unfocus method return the HTML tags which leads to DOM based XSS.
Again, it's cool but not cool, why?

I cannot activate it without user interaction, I cannot force user to click on that page without...wait...
If I'll be able to force users to click whenever I want, with minimum clicks, let's say 1/2 clicks, i'll be able to make this XSS more dangerous...but how?
To resolve it, I first checked the HTTP Header of that page and I found out that X-FRAME-OPTIONS is missing,  It's my lucky day!

Now, all I have to do is to share my workspace, set it on my src attribute and ....BOOM!, (I always wanted to write the BOOM thing, just ignore it :)).

After few hours of HTML design, I'm not so professional with HTML :), I created a simple game that any user will click on it, and within 2 clicks I was managed to activate that XSS.






Thanks for Google security team that responded very quick.
Thanks for reading,

Sasi

Tuesday, December 8, 2015

Creative bug which result Stored XSS on m.youtube.com

Hi all!
Its been a long time since I blogged about my finding, so today I'm going to post about my creative bug on youtube.
All start back on April 2015, I was checking Google for some bugs and didn't find anything, so I decided that its time to leave the research beside and go to play MW3 on my playstation 3.
I turn on my PS3 and suddenly I noticed about Youtube application that exists on PS3.
This application let you play music/movie from any where to your PS3.
I started to search documents about it and found that I can share my connect TV with any mobile/tablet/PC and etc.
So I open my PC and found out that I can actually stream my youtube music to my PS. COOL!
I also notice that every person that connected to my WIFI can actually connect it and stream to my PS3....wait! DO WHAT?!
Let me repeat this slow...any user that on my WIFI can see the PS3 name and stream anything to my PS3......:)!
So I fire up my burpsuite, configured my PS3 to use my remote proxy and was ready to capture PS3 requests.
I set new name on my PS3 and capture the request
As you can see the field screen_name can be change to any name with special chars and no check exists. I set it with very simple and known XSS vector Sasi""img src=y onerror=confirm(document.domain) and continue the request. As a result I saw that the name of the screen is now PatrikIsMyFriend""img src=y onerror=confirm(document.domain) without any executed JS.
So..if my creativity was not good so far I came with an idea to change user-agent to be android, cuz hey, you can use this TV name on any WIFI connection. After setting my user-agent I got redirect to m.youtube.com which contains lots of div tags to display content.
I search some Rammstein music and clicked on which TV I want to play the music and XSS was pop up.


As always, Google security team closed the issue within hours!

Thanks for reading!

Sasi

Saturday, November 8, 2014

Google, me and XSS :)

I remember my teachers and my parents are telling me all the time, read books, read documents, read articles, it will be helpful and educated you.
The journey of this report start with Google Bug Bounty on August 2014 and will be focus on Google Apps for domains which is admin.google.com.
In admin console there's component called Google Apps which contains services of Google such as docs, calender and etc.
I thought to focus on Calender and went to check the documents and see if there's a different between regular calender and calender for business.
I started to poke around and I came up with feature on Google App Calender which called Resources.
You can find a ref to it here Manage resources, don't forget to pay attention to This feature is not available in the legacy free edition of Google Apps.
I found out that when using Google Apps Calender there's hidden option from regular calender that gives you an option to set your own resource, e.g meeting room.
I started to try and set resource as my_room"><img onerror=prompt(1) src=y> on the admin console, but I found out that it was filtered against html tags, so I decided to go to the calender and see if I can use it there.
I set event with this resource but it didn't activate any XSS, so I tried to see what is the different between regular calender and calender for business.
I have noticed about Appointment slots which available only for Google Apps Calender, I wanted to read about it and the first result I came up was Google Appointment Slots, (since 06/2011).
The feature exists in Google since 06/2011!
I went back to Google Apps Calender and start to set my appointment, I chose one of my resource room, when I checked my appointment I found out that my resource activate and XSS was activate.
First step done successfully.
My second mission was to take this vulnerability outside of my domain, to make it more effective and more dangers.
First I found out that I can share my resources with admins or users, Shared resources, but that was between admin/users in my domain.
I take another look over Google calender and tried to find what I can share outside the domain and I came up with sharing my calender.
I clicked over the share calender button, set an email from outside my domain and was able to share it, the funny part was that I found another issue with Google that allowed me to add this calender to any user without getting permission of it.



Second and finally step done successfully.

Conclusion, read read and read any document you can find, the answer for vulnerability sometimes exits in the documents.

POC:

POC

Thanks for reading and I hope you liked it :).

Sasi