Comments for OpnSec

Comment on DOM XSS in Gmail with a little help from Chrome by Engue Gillier

Engue Gillier — Mon, 18 May 2020 19:05:31 +0000

In reply to vahhitiu.

Good question, I didn’t find a straight way to predict this random prefix!
I found ways to load an arbitrary iframe in Gmail but it requires user interaction so it’s not practical.
I reported the vulnerability to Google with a PoC where the Google engineer had to manually copy and paste the random prefix in an input to trigger the XSS. Google VRP validated the bug, maybe because a non secure random generator is not a proper security defense mechanism, so you have to suppose an attacker can predict the value.

Comment on DOM XSS in Gmail with a little help from Chrome by vahhitiu

vahhitiu — Thu, 14 May 2020 09:03:15 +0000

Great write up.But I don’t really understand how you get this random prefix.I just saw that you introduced two ways to get this random channel code, one is to crack math.random(), and you said that this method is not suitable for this scenario, and the other is to load a self-controlled iframe in gmail Tab, and in the next paragraph you said you didn’t find an easy way to load it.Could you tell me more clearly how to get this random prefix?

Comment on DOM XSS in Gmail with a little help from Chrome by Just a nOob

Just a nOob — Wed, 13 May 2020 22:55:11 +0000

Thanks for sharing! I really believe that the Dev tools its really a great tool to hack, we just need to know how to dominate this tool! Congrats for the achievement men! I already trying to read Google source code and I it was like WOW! The way how they randomly create the functions and vars and other code its mind blowing! So I really admire what u did! Keep Up!!

Comment on DOM XSS in Gmail with a little help from Chrome by Nani

Nani — Sat, 09 May 2020 16:53:20 +0000

could u do exploit on url only? or any other parameters?

Comment on DOM XSS in Gmail with a little help from Chrome by Engue Gillier

Engue Gillier — Thu, 07 May 2020 19:21:48 +0000

In reply to JCVD.

Thx all! Yes I encourage you to check other messages on Gmail and on other websites. In this example the workflow is simple: the message contains a url that is loaded as iframe src, without url sanitation nor origin check.
In other cases the workflow might be way more complex: message encoding, partial sanitation, complex payload, etc…
For example, what if google.com trusts *.doubleclick.net? 🙂

Comment on DOM XSS in Gmail with a little help from Chrome by JCVD

JCVD — Thu, 07 May 2020 18:36:25 +0000

Could it be possible to apply the same technique with the others messages if the page doesn’t check the origin?

Comment on DOM XSS in Gmail with a little help from Chrome by Binit Ghimire

Binit Ghimire — Wed, 06 May 2020 04:59:39 +0000

This is really an AWESOME research! Thank you for sharing, and congratulations!

Comment on DOM XSS in Gmail with a little help from Chrome by Sergio

Sergio — Mon, 04 May 2020 04:07:25 +0000

Really appreciated how clear you explained all the steps. Congrats!

Comment on Into the Borg – SSRF inside Google production network by Benjamin Amywarach

Benjamin Amywarach — Sun, 03 May 2020 16:16:53 +0000

Great find. New to looking for bugs, initially was focused on information leakage in Google subdomains, but your blog has taught me to go deeper into the app. Thanks!

Comment on Into the Borg – SSRF inside Google production network by Jon DeGeorge

Jon DeGeorge — Thu, 22 Nov 2018 03:57:46 +0000

The “cafe” task on the Borglet page stands for Content Ads Front End, the component of the Google Ads network that displays ads on participating websites.
The “apps-upload” task is many Google-wide upload dialogs (e.g. the Gmail photo upload and profile picture upload boxes)
You mentioned that you saw nothing that said sites. “jotspot” is the original name for classic Google Sites, and “atari” is the codename for New Google Sites.