Cenzic 232 Patent
Paid Advertising
web application security lab

Blogspot XSS For Safari

I got an email today from Jose Avila about an XSS hole in BlogSpot. For anyone who doesn’t know, Blogspot is a free blogging system for people who can’t or don’t want to host their own. Anyway, his blog post discusses how the exploit works. Essentially Blogspot considers anything inside of comment tags to be safe. So he encapsulates his vector which closes the title tag and starts a remote script include inside of comment tags.

The demo PoC page is located here and works only in Safari (and possibly Konquorer although that is unverified) as Internet Explorer and Firefox treat an end title tag inside of a comment tag as part of the title instead of ending the title. Weird, huh? The vector is the truly noteworthy part of this, even though the site itself is very popular. Anything inside of comment tags, even if that includes an end title tag is treated as a title. Bizzare behavior, but proves that you can’t assume that things inside of comment tags are okay (as the downlevel hidden XSS vector showed us as well). Nice find, Jose!

4 Responses to “Blogspot XSS For Safari”

  1. Christian Matthies Says:

    Interesting.

    By the way I’d like to mention:
    In the very beginning of this year, I discovered a different serious security hole on blogspot. You can read about it here http://christ1an.blogspot.com/2006/12/xss-auf-bloggercom.html

    And for the english speaking people:
    There’s a possible XSS vulnerability on the blogspot sites. Arbitary code can be injected trough the feed plugin, since they are not validated at all. Example here: http://xssvulnerabilities.blogspot.com/

    However they said it would get fixed soon.

  2. RSnake Says:

    Very good info, thanks, Christian!

  3. Jungsonn Says:

    That’s interesting indeed, I tried countless times to circumvent their filters some time ago, with no luck. and actually, I never saw anyone doing it properly. This is great info, thanks for sharing.

  4. hobohammerfight Says:

    works in windows mobile’s ie