13 replies to this topic

[Blake]

I recieved this via email from nabz_245@hotmail.com


ok well, not too much of a bug but u could fool someone and steal there cookies or suntin..
well

--http://images.google.com/imgres?imgurl=[URLHERE]&imgrefurl=http://darkdevelopments.com/

replace [URLHERE] with a url. then wen u click view full size image, it will redirect you to that url

Ie:

--http://images.google.com/imgres?imgurl=http://darkdevelopments.com&imgrefurl=http://darkdevelopments.com/

The above will redirect you to this url.
Easily steal someones cookies.

you could even change the imgrefurl= variable to make it display the script straight away.

imgurl= See full-size image link.
imgrefurl= page displayed below in the frame.

[No Dice]

I know him and he is a reliable source. Nabz has visited and been a Mod for many security forums... Very helpful and knowledgeable..

SSgroup & GoG as well as many others.. You should feel honored that he added you to his list.. Then again, the honor may be his.. Never know..

Dice

[Nick W]

XSS would be difficult via this method unless you can run javascript. It'd be tough to steal cookies anyway.

[toe]

http://images.google...pod.com/cs.html

http://images.google.com/imgres?imgurl=http://snickerbars.com&imgrefurl=http://pablo_m123.tripod.com/cs.html&imgrefurl=http://pablo_m123.tripod.com/cs.html

You can make it link to itself to make the url long so less chance of any one noticeing the hidden url, well kind of. Got my friends good with that...

-toe

[setthesun]

I think this is just a way for phising or related attacks, How can you steal cookies ? You can not execute javascript under the google domain or am I missing something ?

[NabZ]

http://images.google...om/extra/ip.php

The above will display your ip. Using a similar method, you could easily steal cookies, etc, etc.

[setthesun]

http://images.google...om/extra/ip.php

The above will display your ip. Using a similar method, you could easily steal cookies, etc, etc.

Sorry but no you can not,

[crock]

You can not run code on the google site.

Else, it would be too easy, just let google index your site, and voila...


crk,

[cvh]

At kapda we have also found some bugs in google a while ago.
But this XSS is harmless maybe usefull for phishing but not likely.
We have contacted google also for a remote source disclosure and there where some members working on a remote DoS against google servers.

But the bug you found is a RXSS ( Redirect XSS ), devilbox had developped that technique several years ago when XSS was named HTML Piggy Jack and sql injection know as SQL Piggy Jack he says, I guess he and idespinner developped it.
I can't post the whitepaper because he hasn't disclosed it still after all those years.

And setthesun is right you can't steal cookies from the google page (because your javascript code is on a different page so you can only get the cookies from that page) but you can execute javascript in a victim his browser.

Here's a test link

http://images.google.com/imgres?imgurl=http://darkdevelopments.com&imgrefurl=http://tinyurl.com/blyzc

[LittleHacker]

yea,I remember devilbox showed me some.
best wishesh for kapda

[setthesun]

We have contacted google also for a remote source disclosure and there where some members

wow it's serious dude do you mean you see source code of some pages from google?
What is the language ? Java, some kind of scripting over C++, perl ?

[cvh]

We were only be able to see a very small portion of non-sensitive code (python).
So not critical and still unpatched I just checked, but it was confirmed by google as a source disclosure.
Black_death found that bug at Jan 14 2006, so a month ago.

[devil_box]

sup ?

you were talking about rxss/xss and my old whitepaper ...

the bug you were talking about and `v never been published was :

http://www.google.co...ttp://kapda.ir/

donno if it`s published by nother person yet ,just opened my old back-up files and pasted the URL above.

there were many in google as I remember specialy in its new services (translate,gmail and etc)
think some of them were reported.

Note : RXSS and XSS ( the same DOM hijacking) are low-risk vulnerbilities cause they affect client-side but notice if RXSS exists potential of HTTP Response Spilitting vulnerabilities is high (if CR/LF/Null are allowed)and there is no doubt RXSS is more dangerous than XSS cause validating local source(user input must contain client-side executable script [mobile code]) is much easier than validating contents of Remote Page (user input is just URL) which is not a threat by itself.

while ago (about two,three years ago) I was devloping a method to avoid XSS/RXSS and any malicious client side scrips,I never published the results donno if it still works ( as I tested recently AJAX and Syle .behaviour (HTC) are domains my method might cause limitations ).If there is anyone intrested into such researches i`d be glad to share my info with them.

Tnx

[chills]

i dont think you can get cookies .... but iam not sure about orkut and Gmail though i guess those could work let me test it let you know if it works



i dont think you can get cookies .... but iam not sure about orkut and Gmail though i guess those could work let me test it let you know if it works