Google Webmaster Markup Helper Framed Application XSS

Bug Type: Stored XSS Vulnerability
Browser: Internet Explorer 7 or less
Vulnerable Module: Markup Helper : https://www.google.com/webmasters/markup-helper/
Status :Wont Fix .

Detailed WriteUp: Hey all 🙂 Back in December 2014 I reported a Cross Site Scripting vulnerability to Google Security . Google webmaster has a module of Structured Data Markup Helper which takes a website URL as a input and render it after blacklisting all the javascript calls or codes anywhere in the code . Tried some classical tricks to get some javascript code whitelisted but none worked. Rendered external url shows up in a iframe .

The actual web application code is being hosted on .

https://markuphelper.googleusercontent.com/

After giving up with attribute based javascripts events, i checked if style attribute is sanitized properly , fortunately it was not . I was able to inject javascript expressions in style attribute. So , i put the below vector in footer of my website code :

<div style="width: expression(alert(/XSS_Jasminder/));"></div>

The javascript expressions is no more supported in modern browsers but till Internet Explorer 7 . After rendering nothing was ripped off from the vector as expected.

Now lets open the iframe src url in Internet Explorer 7 . The stored XSS payload gets fired.

The vulnerable code is hosted on asset store of google (googleusercontent.com), so this bug doesnt fall under VRP . I have permission to blog about this vulnerability though.

(Visited 3 times, 1 visits today)

Leave A Comment

Your email address will not be published. Required fields are marked *