tag:blogger.com,1999:blog-1564799218001241272024-02-20T00:38:49.294-08:00Security blog by Sasi LeviSasihttp://www.blogger.com/profile/10892646037714916426noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-156479921800124127.post-67922133021801193902019-12-29T09:43:00.000-08:002020-05-04T13:50:15.773-07:00Drop the mic?! no! Drop the connection ;)<head>
<script async="" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<script>
(adsbygoogle = window.adsbygoogle || []).push({
google_ad_client: "ca-pub-3283545329684162",
enable_page_level_ads: true
});
</script>
</head>
<span style="font-family: "times" , "times new roman" , serif;"><br class="Apple-interchange-newline" /></span>
<span style="font-family: "times" , "times new roman" , serif;"><br /></span>
<span style="font-family: "times" , "times new roman" , serif;">Hello all!!!</span><br />
<span style="font-family: "times" , "times new roman" , serif;"><span style="font-family: "times" , "times new roman" , serif;"><br /></span>
<span style="background-color: white; color: #444444;">Its been a long time since I blogged about my finding, so today I'm going to post about one of my XSS on Google and one of the tricks I use to find such bugs. </span></span><br />
<span style="font-family: "times" , "times new roman" , serif;"><span style="background-color: white; color: #444444;"><br /></span>
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="background-color: white;">Let's begin, I have a trick, which you probably know or not ;), that I'm using during my tests.</span></span></span><br />
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="background-color: white; font-family: "times" , "times new roman" , serif;">The trick is to drop the request via burp suite and see what page I'll get. (Many researchers turn off WIFI).</span></span><br />
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="background-color: white; font-family: "times" , "times new roman" , serif;">Usually, you'll end up with an error from burp suite that the request was canceled by the user, but in many cases, you'll get an error page from the site. (I need to write an extender for it!).</span></span><br />
<span style="font-family: "times" , "times new roman" , serif;"><span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="background-color: white;"><br /></span></span>
</span><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS4DHMsybh7Wn0kTRPMJ2SeETpJa-3HBwkHkwXigNEoT41mwHgZIJtr8Bi0Sz1PKLNBpmbsCoBHbT2c9PX6CUkPcF70LiF0crg3NUDlT8Kr72BHsoCfH4ZEjy7tatb1VBmWK2utIyr674/s1600/Screen+Shot+2019-12-29+at+19.33.25.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-family: "times" , "times new roman" , serif;"><img alt="" border="0" data-original-height="963" data-original-width="1600" height="120" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS4DHMsybh7Wn0kTRPMJ2SeETpJa-3HBwkHkwXigNEoT41mwHgZIJtr8Bi0Sz1PKLNBpmbsCoBHbT2c9PX6CUkPcF70LiF0crg3NUDlT8Kr72BHsoCfH4ZEjy7tatb1VBmWK2utIyr674/s200/Screen+Shot+2019-12-29+at+19.33.25.png" title="" width="200" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "times" , "times new roman" , serif; font-size: small;">Survey error page</span></td></tr>
</tbody></table>
<span style="font-family: "times" , "times new roman" , serif;"><br /></span>
<span style="font-family: "times" , "times new roman" , serif;"><span style="background-color: white; color: #444444;"></span><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLn3VabdvzZMwWwmP2ws1dSeRS_PP8rRNPkuM7kSoSiB_ibtt91i837FWTNpmosxZsgQf7swQlEHNIDgQsQm1-oHJhCAb4aY3ZJUSnOdBpWeEl14okok7lDN0E_zQ-KdCexSqulw_zepA/s1600/Screen+Shot+2019-12-29+at+19.33.42.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-family: "times" , "times new roman" , serif;"><img border="0" data-original-height="559" data-original-width="1600" height="69" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLn3VabdvzZMwWwmP2ws1dSeRS_PP8rRNPkuM7kSoSiB_ibtt91i837FWTNpmosxZsgQf7swQlEHNIDgQsQm1-oHJhCAb4aY3ZJUSnOdBpWeEl14okok7lDN0E_zQ-KdCexSqulw_zepA/s200/Screen+Shot+2019-12-29+at+19.33.42.png" width="200" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "times" , "times new roman" , serif; font-size: small;">Burp Suite error</span></td></tr>
</tbody></table>
<span style="font-family: "times" , "times new roman" , serif;"><span style="background-color: white; color: #444444;"><br /></span>
<span style="background-color: white; color: #444444;"><br /></span>
<span style="background-color: white; color: #444444;"><br /></span>
<span style="background-color: white; color: #444444;"><br /></span>
<span style="background-color: white; color: #444444;"><br /></span>
<span style="background-color: white; color: #444444;"><br /></span>
I usually return to Google subdomains million times to see if there's a new change, new JS files or just to look around and see if I missed something.</span><br />
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="background-color: white; font-family: "times" , "times new roman" , serif;">I went back to survey.google.com, which lets any user create a survey, to see if I can find bugs that I didn't find in my previous visits. </span></span><br />
<span style="font-family: "times" , "times new roman" , serif;"><span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="background-color: white;">After a few hours, I decided to check my trick, so here is what I did:</span></span></span><br />
<span style="font-family: "times" , "times new roman" , serif;"><br /></span>
<br />
<div>
<span style="font-family: "times" , "times new roman" , serif;"><span style="background-color: white; color: #222222;">1. Login to </span><a data-saferedirecturl="https://www.google.com/url?q=https://surveys.google.com/your-surveys&source=gmail&ust=1577727101067000&usg=AFQjCNFEHzU7sXGG-0rSvUZuJ_vbR63bpQ" href="https://surveys.google.com/your-surveys" style="background-color: white; color: #1155cc;" target="_blank">https://surveys.google.com/<wbr></wbr>your-surveys</a></span><br />
<span style="background-color: white; color: #222222; font-family: "times" , "times new roman" , serif;">2. Turn on your burp-suite.</span><br />
<span style="background-color: white; color: #222222; font-family: "times" , "times new roman" , serif;">3. Click on the 3 dots on your right and then delete.</span><br />
<span style="background-color: white; color: #222222; font-family: "times" , "times new roman" , serif;">4. Drop the request by burp-suite and then drop it again, total of 2 requests should be dropped.</span><br />
<span style="background-color: white; color: #222222; font-family: "times" , "times new roman" , serif;">5. You'll see in the browser new page with "TRY AGAIN" and "GET HELP" links.</span><br />
<span style="font-family: "times" , "times new roman" , serif;"><span style="background-color: white; color: #222222;">6. The "TRY AGAIN" href is "javascript:window.location.</span><wbr style="background-color: white; color: #222222;"></wbr><span style="background-color: white; color: #222222;">href=window.location.href".</span></span><br />
<span style="font-family: "times" , "times new roman" , serif;"><span style="background-color: white; color: #222222;">7. Set the URL to be </span><a data-saferedirecturl="https://www.google.com/url?q=https://surveys.google.com/your-surveys?%23&source=gmail&ust=1577727101067000&usg=AFQjCNHD5isf1R23-KWDQ32iUwvprJPtBg" href="https://surveys.google.com/your-surveys?#" style="background-color: white; color: #1155cc;" target="_blank">https://surveys.google.com/<wbr></wbr>your-surveys?#</a><span style="background-color: white; color: #222222;">"><img src=y onerror=confirm(1)></span></span><br />
<span style="background-color: white; color: #222222; font-family: "times" , "times new roman" , serif;">8. Chrome auditor will block your request.</span></div>
<div>
<span style="background-color: white; color: #222222; font-family: "times" , "times new roman" , serif;"><br /></span></div>
<div>
<span style="background-color: white; color: #222222; font-family: "times" , "times new roman" , serif;">As you can see the DOM XSS was blocked by the Chrome auditor which is enough to report to Google.</span></div>
<div>
<span style="background-color: white; color: #222222; font-family: "times" , "times new roman" , serif;"><br /></span></div>
<span style="font-family: "times" , "times new roman" , serif;">Happy holidays,</span><br />
<span style="font-family: "times" , "times new roman" , serif;">Sasi</span><br />
<div>
<span style="background-color: white; color: #222222; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"><br /></span></div>
Sasihttp://www.blogger.com/profile/10892646037714916426noreply@blogger.com3tag:blogger.com,1999:blog-156479921800124127.post-86248788413480526322016-09-19T01:54:00.000-07:002020-05-22T15:05:43.142-07:00Combination of techniques lead to DOM Based XSS in Google.<br />
<br />
Hello all!<br />
<br />
<span style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px;">Its been a long time since I blogged about my finding, so today I'm going to post about one of my favorite finds in Google this year. (2016).</span><br />
<span style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px;"><br /></span>
<span style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px;">Last July, I found DOM based XSS while surfing through Google sub domains.</span><br />
<span style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px;">The most important thing about this find is that I was able to activate the XSS via Clickjacking.</span><br />
<span style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px;">Before I continue, I just wanted to say that I'm really don't understand why companies put Clickjacking out-of-scope, maybe they don't know how clickjacking works or what is the real impact of such attack.</span><br />
<span style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px;"><br /></span>
<span style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px;">Anyway, I was looking for some sub domains in Google and I came across earthengine.google.com, I started to see if there're any sub-domains or any pages that I can look and find interesting issues. </span><br />
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="background-color: white; font-size: 13px;">After 10 mins I came across the following subdomain, </span><span style="font-size: 13px;">explorer.earthengine.google.com, this subdomain let you explore maps by heat/cold and other parameters.</span></span><br />
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;"><br /></span></span>
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;">I found parameter called Class which give you some attributes that you can set to see the earth in other ways of colors/waters and etc.</span></span><br />
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;">Once I created this class the name was 'Class Untitled' so as automatic way, I set it as simplest vector <img-onload-alert(1)> as a result pop up came up.</span></span><br />
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;">Cool and not cool, once the name saved the HTML tags were removed. Once I refreshed the page nothing really happened. </span></span><br />
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;"><br /></span></span>
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;">I tried to figure out what can lead to that XSS and I read some JS files and tried to figure the DOM of the page and I came across that once you focus/unfocus the field, the XSS will activate.</span></span><br />
<br />
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;">So what I got so far?</span></span><br />
<br />
<ul>
<li><span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;">The name of the class extract the HTML tags once it saved.</span></span></li>
<li><span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;">The focus/unfocus method return the HTML tags which leads to DOM based XSS.</span></span></li>
</ul>
<div>
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;">Again, it's cool but not cool, why?</span></span></div>
<div>
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;"><br /></span></span></div>
<div>
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;">I cannot activate it without user interaction, I cannot force user to click on that page without...wait...</span></span></div>
<div>
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;">If I'll be able to force users to click whenever I want, with minimum clicks, let's say 1/2 clicks, i'll be able to make this XSS more dangerous...but how?</span></span></div>
<div>
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;">To resolve it, I first checked the HTTP Header of that page and I found out that X-FRAME-OPTIONS is missing, <b>It's my lucky day!</b></span></span></div>
<div>
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;"><b><br /></b></span></span></div>
<div>
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;">Now, all I have to do is to share my workspace, set it on my src attribute and ....BOOM!, (I always wanted to write the BOOM thing, just ignore it :)).</span></span></div>
<div>
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;"><br /></span></span></div>
<div>
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;">After few hours of HTML design, I'm not so professional with HTML :), I created a simple game that any user will click on it, and within 2 clicks I was managed to activate that XSS.</span></span></div>
<div>
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;"><br /></span></span></div>
<div>
<br /></div>
<div>
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/ywIm-X__vCU/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/ywIm-X__vCU?feature=player_embedded" width="320"></iframe></div>
<div>
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;"><br /></span></span></div>
<br />
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;"><br /></span></span>
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;">Thanks for Google security team that responded very quick.</span></span><br />
<div>
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;">Thanks for reading,</span></span></div>
<div>
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;"><br /></span></span></div>
<div>
<span style="color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif;"><span style="font-size: 13px;">Sasi</span></span>
<span style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px;"><br /></span>
<span style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px;"><br /></span></div>
Sasihttp://www.blogger.com/profile/10892646037714916426noreply@blogger.com2tag:blogger.com,1999:blog-156479921800124127.post-9567664763357137772015-12-08T12:44:00.000-08:002015-12-27T04:20:40.924-08:00Creative bug which result Stored XSS on m.youtube.comHi all!<br/>
Its been a long time since I blogged about my finding, so today I'm going to post about my creative bug on youtube.<br/>
All start back on April 2015, I was checking Google for some bugs and didn't find anything, so I decided that its time to leave the research beside and go to play MW3 on my playstation 3.<br/>
I turn on my PS3 and suddenly I noticed about Youtube application that exists on PS3.<br/>
This application let you play music/movie from any where to your PS3.<br/>
I started to search documents about it and found that I can share my connect TV with any mobile/tablet/PC and etc.<br/>
So I open my PC and found out that I can actually stream my youtube music to my PS. COOL!<br/>
I also notice that every person that connected to my WIFI can actually connect it and stream to my PS3....wait! DO WHAT?!<br/>
Let me repeat this slow...any user that on my WIFI can see the PS3 name and stream anything to my PS3......:)!<br/>
So I fire up my burpsuite, configured my PS3 to use my remote proxy and was ready to capture PS3 requests.<br/>
I set new name on my PS3 and capture the request <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnE48G37PnuLrN4LaOY2NEkEz56xrgAohhSDKeq6Kb9KbLhFZC7Y-GyiacrOmPvpa3kG2dJ0UbqnpTeDkcw9K6u_DTNgGEz9AhzMRtn0CuULWJvlygIFk5nZfjRZqBKuwiLqDkfqfjlV8/s1600/Capture.PNG" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnE48G37PnuLrN4LaOY2NEkEz56xrgAohhSDKeq6Kb9KbLhFZC7Y-GyiacrOmPvpa3kG2dJ0UbqnpTeDkcw9K6u_DTNgGEz9AhzMRtn0CuULWJvlygIFk5nZfjRZqBKuwiLqDkfqfjlV8/s200/Capture.PNG" /></a><br/>
As you can see the field screen_name can be change to any name with special chars and no check exists.
I set it with very simple and known XSS vector<b> Sasi""img src=y onerror=confirm(document.domain)</b> and continue the request.
As a result I saw that the name of the screen is now <b>PatrikIsMyFriend""img src=y onerror=confirm(document.domain)</b> without any executed JS.<br/>
So..if my creativity was not good so far I came with an idea to change user-agent to be android, cuz hey, you can use this TV name on any WIFI connection.
After setting my user-agent I got redirect to m.youtube.com which contains lots of div tags to display content. <br/>
I search some Rammstein music and clicked on which TV I want to play the music and XSS was pop up.<br/>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKTe6cKgG2oGhswNhJT3HYNQ18TZ-1oQx6iMxRwRoTQBMcq-cQLRRZUuFp-ZotDqdHJI6leDpV0-QU6r3ujknE5N6c8As4bMDxQxQmrejFJO4CePGIAvNPr6UL6cekgpBuQfMrLkwsiqA/s1600/screen.PNG" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKTe6cKgG2oGhswNhJT3HYNQ18TZ-1oQx6iMxRwRoTQBMcq-cQLRRZUuFp-ZotDqdHJI6leDpV0-QU6r3ujknE5N6c8As4bMDxQxQmrejFJO4CePGIAvNPr6UL6cekgpBuQfMrLkwsiqA/s200/screen.PNG" /></a><br/>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhly5uN1f8gpsy8cqZuZ9mKlEbSWi8ql0FRyYu7J9byySYmyGcSRMkDhyphenhyphenbAUnC0-Ulqd_ANBkaM8fDNTvoXwwyjuv_FdhJRb_XE1X-B4QMiYjqVr9XzOITx3wTHW_GVgOoiZHmKVdF2Q_o/s1600/xss.PNG" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhly5uN1f8gpsy8cqZuZ9mKlEbSWi8ql0FRyYu7J9byySYmyGcSRMkDhyphenhyphenbAUnC0-Ulqd_ANBkaM8fDNTvoXwwyjuv_FdhJRb_XE1X-B4QMiYjqVr9XzOITx3wTHW_GVgOoiZHmKVdF2Q_o/s200/xss.PNG" /></a><br/>
As always, Google security team closed the issue within hours!<br/><br/>
Thanks for reading!<br/><br/>
Sasi Sasihttp://www.blogger.com/profile/10892646037714916426noreply@blogger.com0tag:blogger.com,1999:blog-156479921800124127.post-34932030109753035582014-11-08T11:27:00.001-08:002014-11-08T11:50:15.229-08:00Google, me and XSS :)<blockquote>
<span style="color: #3d85c6;">I remember my teachers and my parents are telling me all the time, read books, read documents, read articles, it will be helpful and educated you.</span></blockquote>
The journey of this report start with Google Bug Bounty on August 2014 and will be focus on Google Apps for domains which is admin.google.com. </br>
In admin console there's component called Google Apps which contains services of Google such as docs, calender and etc.</br>
I thought to focus on Calender and went to check the documents and see if there's a different between regular calender and calender for business.</br>
I started to poke around and I came up with feature on Google App Calender which called Resources. </br>
You can find a ref to it here <a href="https://support.google.com/a/answer/60766?hl=en">Manage resources</a>, don't forget to pay attention to <b><span style="color: #e06666;">This feature is not available in the legacy free edition of Google Apps</span>.</b></br>
I found out that when using Google Apps Calender there's hidden option from regular calender that gives you an option to set your own resource, e.g meeting room.</br>
I started to try and set resource as my_room"><img onerror=prompt(1) src=y> on the admin console, but I found out that it was filtered against html tags, so I decided to go to the calender and see if I can use it there.</br>
I set event with this resource but it didn't activate any XSS, so I tried to see what is the different between regular calender and calender for business. </br>
I have noticed about <b><span style="color: #6fa8dc;">Appointment slots</span></b> which available only for Google Apps Calender, I wanted to read about it and the first result I came up was <a href="http://googleforwork.blogspot.co.il/2011/06/introducing-appointment-slots-in-google.html">Google Appointment Slots, (since 06/2011)</a>.</br>
The feature exists in Google since 06/2011!</br>
I went back to Google Apps Calender and start to set my appointment, I chose one of my resource room, when I checked my appointment I found out that my resource activate and XSS was activate.
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkMMArtBnQEx_L3I2Px4MoiL8MkJ15pqlqSaZTzvRWR6MYlsx9BmM9hZDt_Yu0oJpDC1OuV5zGalzFzGXeDLVnCL_Q4lsfbGKb51uyeGsm6J-KLBtzgSEWUVQ55PqlYHkTO37P_CIesQU/s1600/blog_xss_calender_appointment.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkMMArtBnQEx_L3I2Px4MoiL8MkJ15pqlqSaZTzvRWR6MYlsx9BmM9hZDt_Yu0oJpDC1OuV5zGalzFzGXeDLVnCL_Q4lsfbGKb51uyeGsm6J-KLBtzgSEWUVQ55PqlYHkTO37P_CIesQU/s400/blog_xss_calender_appointment.png" /></a></div>
<b><span style="color: #6fa8dc;">First step done successfully.</span></b></br>
My second mission was to take this vulnerability outside of my domain, to make it more effective and more dangers.</br>
First I found out that I can share my resources with admins or users, <a href="https://support.google.com/a/answer/1034381?hl=en">Shared resources</a>, but that was between admin/users in my domain.</br>
I take another look over Google calender and tried to find what I can share outside the domain and I came up with sharing my calender.</br>
I clicked over the share calender button, set an email from outside my domain and was able to share it, the funny part was that I found another issue with Google that allowed me to add this calender to any user without getting permission of it.
</br></br>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhU2mfA4ZIh6FaD5Nc-PsT7Cdf7eVZ9FAuDXkAdJWkQ9MKaOWvLkttQ6XTPHxET0ziGMoh-11v7tNBjxmlwJ8ehtY4q6b2mJ5W0D-h0cyukRD0mVvvsun_UjsZYVEjCt1hGr6rda3SN8Qg/s1600/xss_calender_appointment_not_domain.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhU2mfA4ZIh6FaD5Nc-PsT7Cdf7eVZ9FAuDXkAdJWkQ9MKaOWvLkttQ6XTPHxET0ziGMoh-11v7tNBjxmlwJ8ehtY4q6b2mJ5W0D-h0cyukRD0mVvvsun_UjsZYVEjCt1hGr6rda3SN8Qg/s400/xss_calender_appointment_not_domain.png" /></a></div>
</br></br>
<b><span style="color: #6fa8dc;">Second and finally step done successfully.</span></b></br></br>
Conclusion, read read and read any document you can find, the answer for vulnerability sometimes exits in the documents.
</br></br>
POC:
</br></br>
<a href="https://www.youtube.com/watch?v=bSA0GsY68S8&feature=youtu.be">POC</a>
</br></br>
Thanks for reading and I hope you liked it :).
</br></br>
SasiSasihttp://www.blogger.com/profile/10892646037714916426noreply@blogger.com0