[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[WEB SECURITY] XSS vulnerabilities in Google.com

From: "Watchfire Research" <security-research@xxxxxxxxxxxxx>
Subject: [WEB SECURITY] XSS vulnerabilities in Google.com
Date: Wed, 21 Dec 2005 15:18:45 +0200
//=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D>> =
Security Advisory =
<<=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D//


---------------------------------------------------------------------

XSS vulnerabilities in Google.com
---------------------------------------------------------------------


--[ Author: Yair Amit , Watchfire Corporation http://www.watchfire.com
--[ Discovery Date: 15/11/2005
--[ Initial Vendor Response: 15/11/2005
--[ Issue solved: 01/12/2005
--[ Website: www.google.com=20
--[ Severity: High


--[ Summary


Two XSS vulnerabilities were identified in the Google.com website,=20
which allow an attacker to impersonate legitimate members of Google's=20
services or to mount a phishing attack.
Although Google uses common XSS countermeasures, a successful attack=20
is possible, when using UTF-7 encoded payloads.


--[ Background


Google's URL redirection script
---------------------------------------------------------------------


The script (http://www.google.com/url?q=3D...) is normally used for
redirecting the browser from Google's website to other sites.


For example, the following request will redirect the browser
to http://www.watchfire.com :

      - http://www.google.com/url?q=3Dhttp://www.watchfire.com


When the parameter (q) is passed to the script with illegal format
(The format seems to be: http://domain), a "403 Forbidden" page
returns to the user, informing that the query was illegal.
The parameter's value appears in the html returned to the user.


If http://www.google.com/url?q=3DUSER_INPUT is requested, the text in
the "403 Forbidden" response would be:

      - "Your client does not have permission to get URL

      /url?q=3DUSER_INPUT from this server."


The server response lacks charset encoding enforcement, such as:
* Response headers: "Content-Type: text/html; charset=3D[encoding]".
* Response body: "<meta http-equiv=3D"Content-Type" (...)
charset=3D[encoding]/>".


Google's 404 NOT FOUND mechanism
---------------------------------------------------------------------


When requesting a page which doesn't exist under www.google.com, a
404 NOT FOUND response is returned to the user, with the original
path requested.


If http://www.google.com/NOTFOUND is requested, the following text
appears in the response:

"Not Found

The requested URL /NOTFOUND was not found on this server."


The server response lacks charset encoding enforcement, such as:
* Response headers: "Content-Type: text/html; charset=3D[encoding]".
* Response body: "<meta http-equiv=3D"Content-Type" (...)
charset=3D[encoding]/>".


--[ XSS vulnerabilities


While the aforementioned mechanisms (URL redirection script,
404 NOT FOUND) escape common characters used for XSS, such as <>
(triangular parenthesis) and apostrophes, it fails to handle
hazardous UTF-7 encoded payloads.


Therefore, when sending an XSS attack payload, encoded in UTF-7, the
payload will return in the response without being altered.


For the attack to succeed (script execution), the victim=12s browser
should treat the XSS payload as UTF-7.


--[ IE charset encoding Auto-Selection


If 'Encoding' is set to 'Auto-Select', and Internet-Explorer finds a
UTF-7 string in the first 4096 characters of the response's body,
it will set the charset encoding to UTF-7 automatically, unless a
certain charset encoding is already enforced.


This automatic encoding selection feature makes it possible to mount
UTF-7 XSS attacks on Google.com.


--[ Solution

Google solved the aforementioned issues at 01/12/2005, by using
character encoding enforcement.


--[ Acknowledgement


The author would like to commend the Google Security Team for their
cooperation and communication regarding this vulnerability.




------_=_NextPart_001_01C60631.12DF5966
Content-Type: text/plain;
	name="google_xss_211205.txt"
Content-Transfer-Encoding: base64
Content-Description: google_xss_211205.txt
Content-Disposition: attachment;
	filename="google_xss_211205.txt"

Ly89PT09PT09PT09PT09PT09PT09PT0+PiBTZWN1cml0eSBBZHZpc29yeSA8PD09PT09PT09PT09
PT09PT09PT09PS8vDQoNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KWFNTIHZ1bG5lcmFiaWxpdGllcyBpbiBHb29n
bGUuY29tDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0NCg0KLS1bIEF1dGhvcjogWWFpciBBbWl0ICwgV2F0Y2hmaXJl
IENvcnBvcmF0aW9uIGh0dHA6Ly93d3cud2F0Y2hmaXJlLmNvbQ0KLS1bIERpc2NvdmVyeSBEYXRl
OiAxNS8xMS8yMDA1DQotLVsgSW5pdGlhbCBWZW5kb3IgUmVzcG9uc2U6IDE1LzExLzIwMDUNCi0t
WyBJc3N1ZSBzb2x2ZWQ6IDAxLzEyLzIwMDUNCi0tWyBXZWJzaXRlOiB3d3cuZ29vZ2xlLmNvbSAN
Ci0tWyBTZXZlcml0eTogSGlnaA0KDQotLVsgU3VtbWFyeQ0KDQpUd28gWFNTIHZ1bG5lcmFiaWxp
dGllcyB3ZXJlIGlkZW50aWZpZWQgaW4gdGhlIEdvb2dsZS5jb20gd2Vic2l0ZSwgDQp3aGljaCBh
bGxvdyBhbiBhdHRhY2tlciB0byBpbXBlcnNvbmF0ZSBsZWdpdGltYXRlIG1lbWJlcnMgb2YgR29v
Z2xlJ3MgDQpzZXJ2aWNlcyBvciB0byBtb3VudCBhIHBoaXNoaW5nIGF0dGFjay4NCkFsdGhvdWdo
IEdvb2dsZSB1c2VzIGNvbW1vbiBYU1MgY291bnRlcm1lYXN1cmVzLCBhIHN1Y2Nlc3NmdWwgYXR0
YWNrIA0KaXMgcG9zc2libGUsIHdoZW4gdXNpbmcgVVRGLTcgZW5jb2RlZCBwYXlsb2Fkcy4NCg0K
LS1bIEJhY2tncm91bmQNCg0KR29vZ2xlJ3MgVVJMIHJlZGlyZWN0aW9uIHNjcmlwdA0KLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tDQoNClRoZSBzY3JpcHQgKGh0dHA6Ly93d3cuZ29vZ2xlLmNvbS91cmw/cT0uLi4pIGlz
IG5vcm1hbGx5IHVzZWQgZm9yIA0KcmVkaXJlY3RpbmcgdGhlIGJyb3dzZXIgZnJvbSBHb29nbGUn
cyB3ZWJzaXRlIHRvIG90aGVyIHNpdGVzLg0KDQpGb3IgZXhhbXBsZSwgdGhlIGZvbGxvd2luZyBy
ZXF1ZXN0IHdpbGwgcmVkaXJlY3QgdGhlIGJyb3dzZXIgDQp0byBodHRwOi8vd3d3LndhdGNoZmly
ZS5jb20gOg0KCS0gaHR0cDovL3d3dy5nb29nbGUuY29tL3VybD9xPWh0dHA6Ly93d3cud2F0Y2hm
aXJlLmNvbSANCg0KV2hlbiB0aGUgcGFyYW1ldGVyIChxKSBpcyBwYXNzZWQgdG8gdGhlIHNjcmlw
dCB3aXRoIGlsbGVnYWwgZm9ybWF0IA0KKFRoZSBmb3JtYXQgc2VlbXMgdG8gYmU6IGh0dHA6Ly9k
b21haW4pLCBhICI0MDMgRm9yYmlkZGVuIiBwYWdlIA0KcmV0dXJucyB0byB0aGUgdXNlciwgaW5m
b3JtaW5nIHRoYXQgdGhlIHF1ZXJ5IHdhcyBpbGxlZ2FsLiANClRoZSBwYXJhbWV0ZXIncyB2YWx1
ZSBhcHBlYXJzIGluIHRoZSBodG1sIHJldHVybmVkIHRvIHRoZSB1c2VyLg0KDQpJZiBodHRwOi8v
d3d3Lmdvb2dsZS5jb20vdXJsP3E9VVNFUl9JTlBVVCBpcyByZXF1ZXN0ZWQsIHRoZSB0ZXh0IGlu
IA0KdGhlICI0MDMgRm9yYmlkZGVuIiByZXNwb25zZSB3b3VsZCBiZToNCgktICJZb3VyIGNsaWVu
dCBkb2VzIG5vdCBoYXZlIHBlcm1pc3Npb24gdG8gZ2V0IFVSTCANCgkvdXJsP3E9VVNFUl9JTlBV
VCBmcm9tIHRoaXMgc2VydmVyLiINCgkNClRoZSBzZXJ2ZXIgcmVzcG9uc2UgbGFja3MgY2hhcnNl
dCBlbmNvZGluZyBlbmZvcmNlbWVudCwgc3VjaCBhczoNCiogUmVzcG9uc2UgaGVhZGVyczogIkNv
bnRlbnQtVHlwZTogdGV4dC9odG1sOyBjaGFyc2V0PVtlbmNvZGluZ10iLg0KKiBSZXNwb25zZSBi
b2R5OiAiPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiAoLi4uKSBjaGFyc2V0PVtlbmNv
ZGluZ10vPiIuDQoJDQpHb29nbGUncyA0MDQgTk9UIEZPVU5EIG1lY2hhbmlzbQ0KLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tDQoNCldoZW4gcmVxdWVzdGluZyBhIHBhZ2Ugd2hpY2ggZG9lc24ndCBleGlzdCB1bmRlciB3
d3cuZ29vZ2xlLmNvbSwgYSANCjQwNCBOT1QgRk9VTkQgcmVzcG9uc2UgaXMgcmV0dXJuZWQgdG8g
dGhlIHVzZXIsIHdpdGggdGhlIG9yaWdpbmFsIA0KcGF0aCByZXF1ZXN0ZWQuDQoNCklmIGh0dHA6
Ly93d3cuZ29vZ2xlLmNvbS9OT1RGT1VORCBpcyByZXF1ZXN0ZWQsIHRoZSBmb2xsb3dpbmcgdGV4
dCANCmFwcGVhcnMgaW4gdGhlIHJlc3BvbnNlOg0KIk5vdCBGb3VuZA0KVGhlIHJlcXVlc3RlZCBV
UkwgL05PVEZPVU5EIHdhcyBub3QgZm91bmQgb24gdGhpcyBzZXJ2ZXIuIg0KDQpUaGUgc2VydmVy
IHJlc3BvbnNlIGxhY2tzIGNoYXJzZXQgZW5jb2RpbmcgZW5mb3JjZW1lbnQsIHN1Y2ggYXM6DQoq
IFJlc3BvbnNlIGhlYWRlcnM6ICJDb250ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD1bZW5j
b2RpbmddIi4NCiogUmVzcG9uc2UgYm9keTogIjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlw
ZSIgKC4uLikgY2hhcnNldD1bZW5jb2RpbmddLz4iLg0KDQotLVsgWFNTIHZ1bG5lcmFiaWxpdGll
cw0KDQpXaGlsZSB0aGUgYWZvcmVtZW50aW9uZWQgbWVjaGFuaXNtcyAoVVJMIHJlZGlyZWN0aW9u
IHNjcmlwdCwgDQo0MDQgTk9UIEZPVU5EKSBlc2NhcGUgY29tbW9uIGNoYXJhY3RlcnMgdXNlZCBm
b3IgWFNTLCBzdWNoIGFzIDw+IA0KKHRyaWFuZ3VsYXIgcGFyZW50aGVzaXMpIGFuZCBhcG9zdHJv
cGhlcywgaXQgZmFpbHMgdG8gaGFuZGxlIA0KaGF6YXJkb3VzIFVURi03IGVuY29kZWQgcGF5bG9h
ZHMuDQoNClRoZXJlZm9yZSwgd2hlbiBzZW5kaW5nIGFuIFhTUyBhdHRhY2sgcGF5bG9hZCwgZW5j
b2RlZCBpbiBVVEYtNywgdGhlIA0KcGF5bG9hZCB3aWxsIHJldHVybiBpbiB0aGUgcmVzcG9uc2Ug
d2l0aG91dCBiZWluZyBhbHRlcmVkLg0KDQpGb3IgdGhlIGF0dGFjayB0byBzdWNjZWVkIChzY3Jp
cHQgZXhlY3V0aW9uKSwgdGhlIHZpY3RpbZJzIGJyb3dzZXIgDQpzaG91bGQgdHJlYXQgdGhlIFhT
UyBwYXlsb2FkIGFzIFVURi03Lg0KDQotLVsgSUUgY2hhcnNldCBlbmNvZGluZyBBdXRvLVNlbGVj
dGlvbg0KDQpJZiAnRW5jb2RpbmcnIGlzIHNldCB0byAnQXV0by1TZWxlY3QnLCBhbmQgSW50ZXJu
ZXQtRXhwbG9yZXIgZmluZHMgYSANClVURi03IHN0cmluZyBpbiB0aGUgZmlyc3QgNDA5NiBjaGFy
YWN0ZXJzIG9mIHRoZSByZXNwb25zZSdzIGJvZHksIA0KaXQgd2lsbCBzZXQgdGhlIGNoYXJzZXQg
ZW5jb2RpbmcgdG8gVVRGLTcgYXV0b21hdGljYWxseSwgdW5sZXNzIGEgDQpjZXJ0YWluIGNoYXJz
ZXQgZW5jb2RpbmcgaXMgYWxyZWFkeSBlbmZvcmNlZC4gDQoNClRoaXMgYXV0b21hdGljIGVuY29k
aW5nIHNlbGVjdGlvbiBmZWF0dXJlIG1ha2VzIGl0IHBvc3NpYmxlIHRvIG1vdW50IA0KVVRGLTcg
WFNTIGF0dGFja3Mgb24gR29vZ2xlLmNvbS4NCg0KLS1bIFNvbHV0aW9uDQoNCkdvb2dsZSBzb2x2
ZWQgdGhlIGFmb3JlbWVudGlvbmVkIGlzc3VlcyBhdCAwMS8xMi8yMDA1LCBieSB1c2luZyANCmNo
YXJhY3RlciBlbmNvZGluZyBlbmZvcmNlbWVudC4NCg0KLS1bIEFja25vd2xlZGdlbWVudA0KDQpU
aGUgYXV0aG9yIHdvdWxkIGxpa2UgdG8gY29tbWVuZCB0aGUgR29vZ2xlIFNlY3VyaXR5IFRlYW0g
Zm9yIHRoZWlyIA0KY29vcGVyYXRpb24gYW5kIGNvbW11bmljYXRpb24gcmVnYXJkaW5nIHRoaXMg
dnVsbmVyYWJpbGl0eS4=


------_=_NextPart_001_01C60631.12DF5966
Content-Type: text/plain; charset=us-ascii

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
------_=_NextPart_001_01C60631.12DF5966--
Prev by Date: [WEB SECURITY] New application security incidents
Next by Date: RE: [WEB SECURITY] Web Applications on Line
Previous by thread: [WEB SECURITY] New application security incidents
Next by thread: [WEB SECURITY] new attack technique? using JavaScript+XML+OWS Post Data
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org