Code: Select all
XSS vulnerabilities in Google.com
---------------------------------------------------------------------
--[ Author: Yair Amit , Watchfire Corporation http://www.watchfire.com
--[ Discovery Date: 15/11/2005
--[ Initial Vendor Response: 15/11/2005
--[ Issue solved: 01/12/2005
--[ Website: www.google.com=20
--[ Severity: High
--[ Summary
Two XSS vulnerabilities were identified in the Google.com website,=20
which allow an attacker to impersonate legitimate members of Google's=20
services or to mount a phishing attack.
Although Google uses common XSS countermeasures, a successful attack=20
is possible, when using UTF-7 encoded payloads.
--[ Background
Google's URL redirection script
---------------------------------------------------------------------
The script (http://www.google.com/url?q=3D...) is normally used for=20
redirecting the browser from Google's website to other sites.
For example, the following request will redirect the browser=20
to http://www.watchfire.com :
- http://www.google.com/url?q=3Dhttp://www.watchfire.com=20
When the parameter (q) is passed to the script with illegal format=20
(The format seems to be: http://domain), a "403 Forbidden" page=20
returns to the user, informing that the query was illegal.=20
The parameter's value appears in the html returned to the user.
If http://www.google.com/url?q=3DUSER_INPUT is requested, the text in=20
the "403 Forbidden" response would be:
- "Your client does not have permission to get URL=20
/url?q=3DUSER_INPUT from this server."
The server response lacks charset encoding enforcement, such as:
* Response headers: "Content-Type: text/html; charset=3D[encoding]".
* Response body: "<meta http-equiv=3D"Content-Type" (...)
charset=3D[encoding]/>".
Google's 404 NOT FOUND mechanism
---------------------------------------------------------------------
When requesting a page which doesn't exist under www.google.com, a=20
404 NOT FOUND response is returned to the user, with the original=20
path requested.
If http://www.google.com/NOTFOUND is requested, the following text=20
appears in the response:
"Not Found
The requested URL /NOTFOUND was not found on this server."
The server response lacks charset encoding enforcement, such as:
* Response headers: "Content-Type: text/html; charset=3D[encoding]".
* Response body: "<meta http-equiv=3D"Content-Type" (...)
charset=3D[encoding]/>".
--[ XSS vulnerabilities
While the aforementioned mechanisms (URL redirection script,=20
404 NOT FOUND) escape common characters used for XSS, such as <>=20
(triangular parenthesis) and apostrophes, it fails to handle=20
hazardous UTF-7 encoded payloads.
Therefore, when sending an XSS attack payload, encoded in UTF-7, the=20
payload will return in the response without being altered.
For the attack to succeed (script execution), the victim=12s browser=20
should treat the XSS payload as UTF-7.
--[ IE charset encoding Auto-Selection
If 'Encoding' is set to 'Auto-Select', and Internet-Explorer finds a=20
UTF-7 string in the first 4096 characters of the response's body,=20
it will set the charset encoding to UTF-7 automatically, unless a=20
certain charset encoding is already enforced.=20
This automatic encoding selection feature makes it possible to mount=20
UTF-7 XSS attacks on Google.com.
--[ Solution
Google solved the aforementioned issues at 01/12/2005, by using=20
character encoding enforcement.
--[ Acknowledgement
The author would like to commend the Google Security Team for their=20
cooperation and communication regarding this vulnerability.
