Saturday, November 8, 2014

Google, me and XSS :)

I remember my teachers and my parents are telling me all the time, read books, read documents, read articles, it will be helpful and educated you.
The journey of this report start with Google Bug Bounty on August 2014 and will be focus on Google Apps for domains which is admin.google.com.
In admin console there's component called Google Apps which contains services of Google such as docs, calender and etc.
I thought to focus on Calender and went to check the documents and see if there's a different between regular calender and calender for business.
I started to poke around and I came up with feature on Google App Calender which called Resources.
You can find a ref to it here Manage resources, don't forget to pay attention to This feature is not available in the legacy free edition of Google Apps.
I found out that when using Google Apps Calender there's hidden option from regular calender that gives you an option to set your own resource, e.g meeting room.
I started to try and set resource as my_room"><img onerror=prompt(1) src=y> on the admin console, but I found out that it was filtered against html tags, so I decided to go to the calender and see if I can use it there.
I set event with this resource but it didn't activate any XSS, so I tried to see what is the different between regular calender and calender for business.
I have noticed about Appointment slots which available only for Google Apps Calender, I wanted to read about it and the first result I came up was Google Appointment Slots, (since 06/2011).
The feature exists in Google since 06/2011!
I went back to Google Apps Calender and start to set my appointment, I chose one of my resource room, when I checked my appointment I found out that my resource activate and XSS was activate.
First step done successfully.
My second mission was to take this vulnerability outside of my domain, to make it more effective and more dangers.
First I found out that I can share my resources with admins or users, Shared resources, but that was between admin/users in my domain.
I take another look over Google calender and tried to find what I can share outside the domain and I came up with sharing my calender.
I clicked over the share calender button, set an email from outside my domain and was able to share it, the funny part was that I found another issue with Google that allowed me to add this calender to any user without getting permission of it.



Second and finally step done successfully.

Conclusion, read read and read any document you can find, the answer for vulnerability sometimes exits in the documents.

POC:

POC

Thanks for reading and I hope you liked it :).

Sasi