Information Assurance

Dan Kahan


front | classes | research | personal | contact

Information Assurance

Bugtraq Analysis

Google XSS Injection Vulnerability

back to bugtraq analyses page

1. Problem Description

>From the user’s point of view, the operation of Google’s search service accepts some query, either from a form on its Web site, a toolbar, a URL string, or various other sources. Some other parameters, such as the user’s preferred language, can also be passed on. The service then returns results for the query if any are available. Like any Web application that accepts input, Google’s search service must properly validate and clean input before processing it. Otherwise, both users and Google would be susceptible to malicious input. Indeed, with Google’s English-language search service, many cross-site scripting (XSS) vulnerabilities have been prevented or fixed. However, different versions of Google’s search service handle input differently. The Arabic-language version, for instance, has some XSS vulnerabilities that the English version does not. While Google does seem to prevent longer scripts from executing – which precludes a lot of malicious scripting attacks – it will currently allow multiple short scripts to run.

This URL will cause one alert box to appear: one.

Variants can cause more alert boxes to appear: lots.

Limitations

While multiple short scripts can be executed, code execution does not occur when the size of the string within the alert function is of a length greater than 1 character. Also, several common JavaScript functions for hijacking cookies are not executed. The XSS vulnerability was not confirmed on any other version of the search service. However, as the saying goes, absence of evidence is not evidence of absence. Thus, malicious code execution may very well be possible even though this could not be verified.

2. Prevention

If the developers of each version of the search service had worked together or from the same codebase, then there would not be this disparity. Google’s XSS prevention mechanisms are generally effective, but not when they are used inconsistently.

3. Workarounds

There are two ways to prevent this problem from occurring. Users can disable JavaScript or just closely inspect Google URLs before clicking them, just as they should do for any URL. If there is any doubt about whether a URL might contain malicious code, the user should go to the main page for the site (in this case, http://www.google.com) and navigate from there.

4. Future prevention

Google’s Arabic-language code ought to incorporate the same input-cleaning mechanisms that are employed in other versions of Google’s service. Those mechanisms basically sanitize all queries containing what code be server- or client-side code. While Google probably has written its own code in Python or C++ for this, many Web application development platforms have easily-accessible functions to do this. For instance, in PHP, the function htmlspecialchars() replaces all potentially malicious characters.