Cenzic 232 Patent
Paid Advertising
web application security lab

Another Google XSS in Google Documents

Today, Hong emailed me with yet another Google XSS vulnerability. This time it is in the way Google’s filtering engines work to protect its users from malicious HTML in the Google documents. I’ve seen this exact hole a number of times in sites that allow WYSIWYG editors. Unfortunately, just because it’s rendered, it doesn’t make it safe. Things like that are also often vulnerable to iframe injection as well. Here’s his email. Edited only for formatting.

I find out a hole in Google Docs XSS filter. Google Docs does not know how textarea works, If we inject the following HTML code to the document.

<textarea><a href=" http://www.site.com/
</textarea><script>alert('xss')</script>"></textarea>

Google XSS filter does not filter out <script>alert('xss')</script> due to
they inside a html tag encapsulation. But in fact browser treats <a href="http://www.site.com/ as plain text inside textarea, then run the script follow it.

Here is a demo.

Google has had a pretty terrible track record when it comes to these vulnerabilities, as have many other sites of this complexity, and this represents a few failings. Firstly, understanding what HTML looks like, and secondly understanding that rich HTML can jump out of itself in weird ways when you just throw user text in the middle of your page. Hopefully they fix this one quickly.

12 Responses to “Another Google XSS in Google Documents”

  1. christ1an Says:

    Nice find.

    Now I’m curious to see how long it takes them to fix it. :)

  2. Edward Z. Yang Says:

    Another case where blacklist filtering bites the dust. It doesn’t strike me as a particularly hard problem to fix, however: just entity-ize anything inside s. I hold with christ1an and wait to see how long it takes for this to be fixed. WORKSFORME.

  3. Jonathan Says:

    Are there any holes in google games?

  4. Philipp Lenssen Says:

    I can reproduce the demo but how do I reproduce creating this document? When I enter the textarea snippet as above into a new Google Docs document, and publish it, the tags will be filtered (or is it already fixed?).

  5. Me Says:

    Opera catches XSS

  6. yawnmoth Says:

    This seems to be a twist of the “end title tag” entry that’s already in the XSS cheat sheet:

    http://ha.ckers.org/xss.html#XSS_End_title_tag

    This makes me wonder… what other HTML tags disable the parsing of HTML within them? There’s textarea and title… is that it?

  7. RSnake Says:

    <comment> <!– –> within iframe tags, noscript tags, and I’m sure there are several others.

  8. MustLive Says:

    Interesting hole, guys.

    And there is another nice hole at Google which I wrote about today:

    MOSEB-20 Bonus: Google dorks strikes back
    http://websecurity.com.ua/1070/

  9. Google dorks Says:

    Here’s an idea. How about instead of calling them “Google dorks”, you people call them “search strings” or maybe just “searches”. Because that’s what they are.

    Calling them “Google dorks” is just going to lead to confusion - it’s going to make people think that these “Google dorks” are something other then searches when, in fact, searches are all that they are. And how does that benefit anyone?

    Or maybe one of the defining aspects of “web 2.0″ is that every “netizen” has an obligation to try to get a wikipedia.org article (”wikipage” - you heard it here, first!) for some new word they created? Either way, it’s lame, self-serving, and should stop.

  10. RSnake Says:

    @Google dorks - you may thrust your hatred towards Google because, in fact, they are the ones who named it that. They were trying to stop “dorks” from executing search queries, and hence came up with a “dorks file” for “Google dorks” and there you have it. I’m not sure how it’s self serving though, it’s a pretty common term in the blackhat SEO and hacking world these days.

  11. Google dorks Says:

    Interesting. I did not know that.

    As to why I thought it was self-serving - there are quite a few people invent words and create wikipedia articles on them to serve their own sense of vanity. Here’s a good example:

    http://en.wikipedia.org/w/index.php?title=Cross-site_scripting&diff=134661765&oldid=134661659

    That guy actually created a whole article on his new word, too, but it was deleted.

    That guy’s “new word” was self-serving in the sense that it helped inflate his own ego. Google dorks doesn’t, at first glance, seem to be much different.

  12. RSnake Says:

    @Google dorks - understood, but I take wikipedia with a huuuuge grain of salt. While the article on XSS is vaguely correct, it is missing huge parts of the history (including the origins). You can read about the first public reference to it here (a full two years before Wikipedia’s reference that they describe as “perhaps the first”): http://ha.ckers.org/cross-site-scripting.html We actually spelled out exactly how the term came to be in the XSS Exploits book - something I haven’t seen anywhere else on the Internet. That said, Wikipedia is only as good as the people who are interested in writing about the subject matter. It’s really not much better than DMOZ - which is indeed very self serving in so much as you can bribe DMOZ editors.