Monday, September 19, 2016

Combination of techniques lead to DOM Based XSS in Google.



Hello all!

Its been a long time since I blogged about my finding, so today I'm going to post about one of my favorite finds in Google this year. (2016).

Last July, I found DOM based XSS while surfing through Google sub domains.
The most important thing about this find is that I was able to activate the XSS via Clickjacking.
Before I continue, I just wanted to say that I'm really don't understand why companies put Clickjacking out-of-scope, maybe they don't know how clickjacking works or what is the real impact of such attack.

Anyway, I was looking for some sub domains in Google and I came across earthengine.google.com, I started to see if there're any sub-domains or any pages that I can look and find interesting issues. 
After 10 mins I came across the following subdomain, explorer.earthengine.google.com, this subdomain let you explore maps by heat/cold and other parameters.

I found parameter called Class which give you some attributes that you can set to see the earth in other ways of colors/waters and etc.
Once I created this class the name was 'Class Untitled' so as automatic way, I set it as simplest vector <img-onload-alert(1)> as a result pop up came up.
Cool and not cool, once the name saved the HTML tags were removed. Once I refreshed the page nothing really happened. 

I tried to figure out what can lead to that XSS and I read some JS files and tried to figure the DOM of the page and I came across that once you focus/unfocus the field, the XSS will activate.

So what I got so far?

  • The name of the class extract the HTML tags once it saved.
  • The focus/unfocus method return the HTML tags which leads to DOM based XSS.
Again, it's cool but not cool, why?

I cannot activate it without user interaction, I cannot force user to click on that page without...wait...
If I'll be able to force users to click whenever I want, with minimum clicks, let's say 1/2 clicks, i'll be able to make this XSS more dangerous...but how?
To resolve it, I first checked the HTTP Header of that page and I found out that X-FRAME-OPTIONS is missing,  It's my lucky day!

Now, all I have to do is to share my workspace, set it on my src attribute and ....BOOM!, (I always wanted to write the BOOM thing, just ignore it :)).

After few hours of HTML design, I'm not so professional with HTML :), I created a simple game that any user will click on it, and within 2 clicks I was managed to activate that XSS.






Thanks for Google security team that responded very quick.
Thanks for reading,

Sasi