Wieners, Brats, Franks, we've got 'em all.
0 Members and 1 Guest are viewing this topic.
//=====================>> Security Advisory <<=====================//---------------------------------------------------------------------XSS vulnerabilities in Google.com-----------------------------------------------------------------------[ Author: Yair Amit , Watchfire Corporation http://www.watchfire.com--[ Discovery Date: 15/11/2005--[ Initial Vendor Response: 15/11/2005--[ Issue solved: 01/12/2005--[ Website: www.google.com--[ Severity: High--[ SummaryTwo XSS vulnerabilities were identified in the Google.com website,which allow an attacker to impersonate legitimate members of Google'sservices or to mount a phishing attack.Although Google uses common XSS countermeasures, a successful attackis possible, when using UTF-7 encoded payloads.--[ BackgroundGoogle's URL redirection script---------------------------------------------------------------------The script (http://www.google.com/url?q=...) is normally used forredirecting the browser from Google's website to other sites.For example, the following request will redirect the browserto http://www.watchfire.com : - http://www.google.com/url?q=http://www.watchfire.comWhen the parameter (q) is passed to the script with illegal format(The format seems to be: http://domain), a "403 Forbidden" pagereturns to the user, informing that the query was illegal.The parameter's value appears in the html returned to the user.If http://www.google.com/url?q=USER_INPUT is requested, the text inthe "403 Forbidden" response would be: - "Your client does not have permission to get URL /url?q=USER_INPUT from this server."The server response lacks charset encoding enforcement, such as:* Response headers: "Content-Type: text/html; charset=[encoding]".* Response body: "<meta http-equiv="Content-Type" (...)charset=[encoding]/>".Google's 404 NOT FOUND mechanism---------------------------------------------------------------------When requesting a page which doesn't exist under www.google.com, a404 NOT FOUND response is returned to the user, with the originalpath requested.If http://www.google.com/NOTFOUND is requested, the following textappears in the response:"Not FoundThe requested URL /NOTFOUND was not found on this server."The server response lacks charset encoding enforcement, such as:* Response headers: "Content-Type: text/html; charset=[encoding]".* Response body: "<meta http-equiv="Content-Type" (...)charset=[encoding]/>".--[ XSS vulnerabilitiesWhile the aforementioned mechanisms (URL redirection script,404 NOT FOUND) escape common characters used for XSS, such as <>(triangular parenthesis) and apostrophes, it fails to handlehazardous UTF-7 encoded payloads.Therefore, when sending an XSS attack payload, encoded in UTF-7, thepayload will return in the response without being altered.For the attack to succeed (script execution), the victim's browsershould treat the XSS payload as UTF-7.--[ IE charset encoding Auto-SelectionIf 'Encoding' is set to 'Auto-Select', and Internet-Explorer finds aUTF-7 string in the first 4096 characters of the response's body,it will set the charset encoding to UTF-7 automatically, unless acertain charset encoding is already enforced.This automatic encoding selection feature makes it possible to mountUTF-7 XSS attacks on Google.com.--[ SolutionGoogle solved the aforementioned issues at 01/12/2005, by usingcharacter encoding enforcement.--[ AcknowledgementThe author would like to commend the Google Security Team for theircooperation and communication regarding this vulnerability.
Google solved the aforementioned issues at 01/12/2005, by usingcharacter encoding enforcement.
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz[17:32:54] * xar sets mode: +o newby[17:32:58] <xar> new rule[17:33:02] <xar> me and newby rule all
Quote from: CrAz3D on June 30, 2008, 10:38:22 amI'd bet that you're currently bloated like a water ballon on a hot summer's day.That analogy doesn't even make sense. Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT.
I'd bet that you're currently bloated like a water ballon on a hot summer's day.
QuoteGoogle solved the aforementioned issues at 01/12/2005, by usingcharacter encoding enforcement.