Comments on: DOM XSS in Gmail with a little help from Chrome /2020/05/dom-xss-in-gmail-with-a-little-help-from-chrome/?utm_source=rss&utm_medium=rss&utm_campaign=dom-xss-in-gmail-with-a-little-help-from-chrome Open mind Security and Crypto! Fri, 30 Jul 2021 20:07:09 +0000 hourly 1 https://wordpress.org/?v=6.0.11 By: Engue Gillier /2020/05/dom-xss-in-gmail-with-a-little-help-from-chrome/#comment-48064 Mon, 18 May 2020 19:05:31 +0000 /?p=382#comment-48064 In reply to vahhitiu.

Good question, I didn’t find a straight way to predict this random prefix!
I found ways to load an arbitrary iframe in Gmail but it requires user interaction so it’s not practical.
I reported the vulnerability to Google with a PoC where the Google engineer had to manually copy and paste the random prefix in an input to trigger the XSS. Google VRP validated the bug, maybe because a non secure random generator is not a proper security defense mechanism, so you have to suppose an attacker can predict the value.

]]> By: vahhitiu /2020/05/dom-xss-in-gmail-with-a-little-help-from-chrome/#comment-47020 Thu, 14 May 2020 09:03:15 +0000 /?p=382#comment-47020 Great write up.But I don’t really understand how you get this random prefix.I just saw that you introduced two ways to get this random channel code, one is to crack math.random(), and you said that this method is not suitable for this scenario, and the other is to load a self-controlled iframe in gmail Tab, and in the next paragraph you said you didn’t find an easy way to load it.Could you tell me more clearly how to get this random prefix?

]]> By: Just a nOob /2020/05/dom-xss-in-gmail-with-a-little-help-from-chrome/#comment-46910 Wed, 13 May 2020 22:55:11 +0000 /?p=382#comment-46910 Thanks for sharing! I really believe that the Dev tools its really a great tool to hack, we just need to know how to dominate this tool! Congrats for the achievement men! I already trying to read Google source code and I it was like WOW! The way how they randomly create the functions and vars and other code its mind blowing! So I really admire what u did! Keep Up!!

]]> By: Nani /2020/05/dom-xss-in-gmail-with-a-little-help-from-chrome/#comment-46019 Sat, 09 May 2020 16:53:20 +0000 /?p=382#comment-46019 could u do exploit on url only? or any other parameters?

]]> By: Engue Gillier /2020/05/dom-xss-in-gmail-with-a-little-help-from-chrome/#comment-45513 Thu, 07 May 2020 19:21:48 +0000 /?p=382#comment-45513 In reply to JCVD.

Thx all! Yes I encourage you to check other messages on Gmail and on other websites. In this example the workflow is simple: the message contains a url that is loaded as iframe src, without url sanitation nor origin check.
In other cases the workflow might be way more complex: message encoding, partial sanitation, complex payload, etc…
For example, what if google.com trusts *.doubleclick.net? 🙂

]]> By: JCVD /2020/05/dom-xss-in-gmail-with-a-little-help-from-chrome/#comment-45501 Thu, 07 May 2020 18:36:25 +0000 /?p=382#comment-45501 Could it be possible to apply the same technique with the others messages if the page doesn’t check the origin?

]]> By: Binit Ghimire /2020/05/dom-xss-in-gmail-with-a-little-help-from-chrome/#comment-45104 Wed, 06 May 2020 04:59:39 +0000 /?p=382#comment-45104 This is really an AWESOME research! Thank you for sharing, and congratulations!

]]> By: Sergio /2020/05/dom-xss-in-gmail-with-a-little-help-from-chrome/#comment-44522 Mon, 04 May 2020 04:07:25 +0000 /?p=382#comment-44522 Really appreciated how clear you explained all the steps. Congrats!

]]>