Thursday, December 9, 2010

Cat Hurneas How Much Would It Cost

begins the era of information

Google.com vulnerable to XSS (HTML Code Injection)

Because today it's The National Day of Romania, I’ll make public a vulnerability in www.google.com (more exactly www.maps.google.com). About what kind of vulnerability we talk? XSS (Cross-Site Scripting). For proof I created a video & some screenshots. I would like to say,first I reported to security@google.com, and now they will fix it! Until now, it’s still vulnerable (but isn’t a very critically thing, so I can post).

Video:

http://vimeo.com/17362003

Screenshots:

Google HTML Code Injection – Screenshot 1

Google HTML Code Injection – Screenshot 2

Vulnerable parameter:

Open: http://maps.google.com/maps

Click on: Change default location

Add your code (XSS)
________________________________________

TinKode @ InSecurity.Ro
The XSS found by lady: Sony @ InSecurity.Ro
________________________________________

Update: Another vulnerability
was found on www.google.com
, by Lady Sony from www.InSecurity.Ro .

Proof Of Concept:

Video:
http://vimeo.com/17439878

Vulnerable Parameter:
http://translate.google.com/translate?hl=en&sl=ro&u= [EVIL_CODE]
The [EVIL_CODE] it’s a website where are the EVIL files to obtain what I want. So I created 4 files on one of my sites ( www.antisec.es ) for testing:

XSS AlertBox ( www.antisec.es/google/google1.php ) XSS document.cookie ( www.antisec.es/google/google2.php )

HTML Redirect ( www.antisec.es/google/google3.php
)

Iframe ( www.antisec.es/google/google4.php )

AlertBox File Source:

<script>alert(document.cookie)</script>
<meta http-equiv="refresh" content="2;url=http://insecurity.ro/">
<iframe src="http://insecurity.ro" width="800" height="800" ALT="InSecurity.Ro Team">
Google Translate XSS ScreenShot 1 (AlertBox)

Google Translate XSS ScreenShot 2
(document.cookie)

First, when I saw this alertbox, I though was only a “alert” / “XSS” from vulnerable website

 (in this case:  antisec.es)

, but no, this it’s a really and cool XSS in Google.com! Why? Look at the title of alertbox
(Page http://translate.googleusercontent.com said…)
.

Some informations about
googleusercontent.com :
Googleusercontent.com is a domain controlled by four name servers at google.com. All four of them are on different IP networks. The primary name server is

 ns1.google.com

.
… www.googleusercontent.com
is ranked #37 world wide as googleusercontent.com and is hosted on a server in United States. It has 15 inlinks. It has 20 organic keywords.

 ________________________________________

Proof Of Concept by: TinKode @
InSecurity.Ro

The XSS found by lady: Sony @ InSecurity.Ro

________________________________________ Source:
http://tinkode27.baywords.com/google-com-xss-html-code-injection/

Posted by admin at 6:01 PM
Email This BlogThis! Share to X Share to Facebook

0 comments:

Post a Comment