| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 27 Nov 2015 10:08:44 +0000
From: Gynvael Coldwind <gynvael@...dwind.pl>
To: Francisco Javier Santiago Vázquez
<franciscojaviersantiagovazquez@...il.com>, fulldisclosure@...lists.org
Subject: Re: [FD] Google Translator affected by Cross-Site Scripting
vulnerability
Hi Francisco,
Unfortunately your disclosure is factually wrong.
Please note that even the packet you are citing says "Host:
translate.googleusercontent.com" - this is not the same domain as
translate.google.es (or translate.google.com), therefore, due to the
JavaScript same-origin policy (
https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy)
it's a different origin. Which means that scripts executed from
translate.googleusercontent.com do not have access to cookies/DOM/etc of
Google Translate main domains (translate.google.es, etc).
And there are no interesting cookies / things to do on
translate.googleusercontent.com.
Given the above, as Google surely told you, you didn't find an XSS in
Google Translate, you found an XSS in a sandbox domain, which was designed
to allow execution of potentially hostile JavaScript code. Hey, you even
can find the *.googleusercontent.com domain in Google's sandboxed domain
listing:
https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain
Keep in mind that when doing XSS-related security research a popping out
alert box tells you that you can execute code, but not if it's a
vulnerability - for that you need to verify the domain (and maybe
schema/port as well, depending on your case), e.g. by doing
alert(document.domain) instead of alert('XSS en Google AUDIT') ;)
Cheers,
Gynvael
On Fri, Nov 27, 2015 at 10:28 AM Francisco Javier Santiago Vázquez <
franciscojaviersantiagovazquez@...il.com> wrote:
> I. VULNERABILITY
> -------------------------
> Vulnerability Cross-Site Scripting Translator Google affected by Cross-Site
> Scripting vulnerability (XSS)
> Google assumes the vulnerability.
>
>
> II. DESCRIPTION
> -------------------------
> - Firstly, go to https://translate.google.es/?hl=es website and click in
> "Document Translate"
> - Upload the proof of concept
> - Finally, we can display the Cross-Site Scripting (XSS)
>
>
> III. PROOF OF CONCEPT
> -------------------------
> POST /translate_f HTTP/1.1
> Host: translate.googleusercontent.com
> User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:39.0) Gecko/20100101
> Firefox/39.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
> Accept-Encoding: gzip, deflate
> Referer: https://translate.google.es/?hl=es
> Connection: keep-alive
> Content-Type: multipart/form-data;
> boundary=---------------------------147452561017500
> Content-Length: 1095
>
> -----------------------------147452561017500
> Content-Disposition: form-data; name="sl"
>
> en
> -----------------------------147452561017500
> Content-Disposition: form-data; name="tl"
>
> es
> -----------------------------147452561017500
> Content-Disposition: form-data; name="js"
>
> y
> -----------------------------147452561017500
> Content-Disposition: form-data; name="prev"
>
> _t
> -----------------------------147452561017500
> Content-Disposition: form-data; name="hl"
>
> es
> -----------------------------147452561017500
> Content-Disposition: form-data; name="ie"
>
> UTF-8
> -----------------------------147452561017500
> Content-Disposition: form-data; name="text"
>
>
> -----------------------------147452561017500
> Content-Disposition: form-data; name="file"; filename="poc.html"
> Content-Type: text/html
>
> <img src="
>
> http://www.imagenesderisa.com.mx/wp-content/uploads/2015/10/imagenes-de-risa-2.jpg
> "
> onload="alert('XSS en Google AUDIT')"</img>
> -----------------------------147452561017500
> Content-Disposition: form-data; name="edit-text"
>
>
> -----------------------------147452561017500--
>
>
> IV. SYSTEMS AFFECTED
> -------------------------
> The vulnerability affects the Google Translator.
>
>
> VI. CREDITS
> -------------------------
> These vulnerabilities have been discovered by
> Francisco Javier Santiago Vázquez (
> https://es.linkedin.com/in/francisco-javier-santiago-v%C3%A1zquez-1b654050
> ).
> (https://twitter.com/n0ipr0cs).
>
>
> VII. DISCLOSURE TIMELINE
> -------------------------
> Nov 02, 2015: Vulnerability acquired by Francisco Javier Santiago
> Vázquez. aka "n0ipr0cs"
> Nov 03, 2015 Responsible disclosure to Google Security Team.
> Nov 03, 2015 Google assumes the vulnerability
> Nov 26, 2015 Disclosure
>
>
> VIII. Links
> ------------------------
> POC :-
>
> http://www.estacion-informatica.com/2015/11/el-no-cross-site-scripting-de-google.html
>
>
>
>
>
>
>
> *Francisco Javier Santiago Vázquez Ethical Hacker and Forensic Analyst
> <
> http://www.linkedin.com/pub/francisco-javier-santiago-v%C3%A1zquez/50/540/1b6
> >
> <http://estacioninformatica.blogspot.com.es/>
> <https://twitter.com/n0ipr0cs>*
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists