At 12:57 this morning Hong posted a working exploit in Google based on some work he did on the 13th, finding another XSS vulnerability in Google. This one is a little more interesting than most, because it uses a basic mis-understanding of what can be done with document.write. Google’s engineers were smart enough to close off the obvious quotes and angle brackets, but because they are inside a document.write you can use escape chars to build text that represents the output in question. Here is an example PoC:
As you can see, the \x represents a hex character. So basically pretend that you are going to URL encode something and then do a replace. Anytime you see “%” replace it with “\x”. In this way no angle brackets, no quotes, equals signs or any other character other than a backslash and alpha numerics are required for the vector to fire. Pretty tricky stuff, especially since most people don’t understand what can be done inside a document.write, including Google’s developers. Nice find, Hong and nice demonstration of what is possible inside a document.write. Time to protect yourself from backslashes too, I’d say.