Cenzic 232 Patent
Paid Advertising
web application security lab

Yet another XSS hole in Google

At 12:57 this morning Hong posted a working exploit in Google based on some work he did on the 13th, finding another XSS vulnerability in Google. This one is a little more interesting than most, because it uses a basic mis-understanding of what can be done with document.write. Google’s engineers were smart enough to close off the obvious quotes and angle brackets, but because they are inside a document.write you can use escape chars to build text that represents the output in question. Here is an example PoC:

As you can see, the \x represents a hex character. So basically pretend that you are going to URL encode something and then do a replace. Anytime you see “%” replace it with “\x”. In this way no angle brackets, no quotes, equals signs or any other character other than a backslash and alpha numerics are required for the vector to fire. Pretty tricky stuff, especially since most people don’t understand what can be done inside a document.write, including Google’s developers. Nice find, Hong and nice demonstration of what is possible inside a document.write. Time to protect yourself from backslashes too, I’d say.

3 Responses to “Yet another XSS hole in Google”

  1. GiCi » Blog Archive » Un arcobaleno di caratteri Says:

    […] E intanto continuano i problemi con XSS per Google. […]

  2. quasi.dot » Blog Archive » Un arcobaleno di caratteri Says:

    […] E intanto continuano i problemi con XSS per Google. […]

  3. Jungsonn Says:

    Ouch! that’s gotta hurt them. Very clever find from Hong! haven’t seen such clever finds a long time I guess.

    But, actually strange that they let things echo back while in a document.write routine. Bad practice if you ask me.