WebApp Sec mailing list archives
Re: [WEB SECURITY] Cross Site Scripting in Google
From: bugtraq () cgisecurity net
Date: Wed, 5 Jul 2006 08:49:33 -0400 (EDT)
Did you even bother to email them and let them know? Being that they're still vulnerable probably not.... - z
Google is vulnerable to cross site scripting attacks. I found a function built off their add RSS feed function that returns HTML if a valid feed is found. It is intended as an AJAXy (dynamic JavaScript anyway) call from an inline function and the page is intended to do sanitation of the function. However, that's too late, and it returns the HTML as a query string, that is rendered, regardless of the fact that it is simply a JavaScript snippet. Here is the post that explains the whole thing: http://ha.ckers.org/blog/20060704/cross-site-scripting-vulnerability-in-google/ -RSnake http://ha.ckers.org/ http://ha.ckers.org/xss.html http://ha.ckers.org/blog/feed/ ---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
------------------------------------------------------------------------- Sponsored by: Watchfire Securing a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm --------------------------------------------------------------------------
Current thread:
- Cross Site Scripting in Google RSnake (Jul 05)
- Re: [WEB SECURITY] Cross Site Scripting in Google bugtraq (Jul 05)
- Re: [WEB SECURITY] Cross Site Scripting in Google RSnake (Jul 05)
- Re: [WEB SECURITY] Cross Site Scripting in Google Collin Jackson (Jul 05)
- Re: [WEB SECURITY] Cross Site Scripting in Google RSnake (Jul 06)
- Re: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google Javor Ninov (Jul 06)
- Re: [WEB SECURITY] Cross Site Scripting in Google RSnake (Jul 05)
- Re: [WEB SECURITY] Cross Site Scripting in Google bugtraq (Jul 05)