前言
2018年9月26日,开源Closure库(最初由谷歌创建并用于谷歌搜索)的一名开发人员创建了一个提交,删除了部分输入过滤。据推测,这是因为开发人员在用户界面设计方面出现了问题。但此次提交的开发人员以及审核人员并未发现这一举动将会导致XSS。
2019年2月,安全研究员Masato Kinugawa发现了这个漏洞,并将其报告给了Google。Google立即做出反应,并在2019年2月22日修复了漏洞,撤销了之前9月份做的修改。另一位安全专家LiveOverflow详细描述了如何导致XSS。
XSS如何发生的?
Closure库中的漏洞很难检测。它依赖于一种很少使用的技术,叫做突变XSS。突变XSS漏洞是由浏览器解释HTML标准的方式不同造成的。
由于浏览器的不同,很难对服务器上的用户输入进行清理。服务器不仅需要考虑浏览器之间的所有差异,还需要考虑它们的版本之间的所有差异。对输入进行过滤以防止XSS的最有效的方法是让浏览器解释输入而不实际执行它。
有一个很好的客户端库用于防止XSS:DOMPurify。这个库也被Closure使用。然而,DOMPurify并不是万能法宝。在极少数情况下,需要额外的过滤操作才能确保万无一失。确切地说,2018年9月随着Closure的更新而删除了额外的过滤操作。
A change made several months ago in an open-source JavaScript library introduced a cross-site scripting (XSS) vulnerability in Google Search and likely other Google products.
Japanese security researcher Masato Kinugawa discovered what appeared to be an XSS vulnerability in Google Search. Such a security hole can pose a serious risk and it could be highly useful to malicious actors for phishing and other types of attacks.
According to an analysis conducted by LiveOverflow, the XSS vulnerability was introduced by the use of a library named Closure and its failure to properly sanitize user input.
Closure is a broad JavaScript library designed by Google for complex and scalable web applications. The tech giant has made the library open source and still uses it for many of its applications, including Search, Gmail, Maps and Docs.
The vulnerability was apparently introduced on September 26, 2018, when someone removed a sanitization mechanism reportedly due to some user interface design issues. It was addressed on February 22, 2019, when the change made in September 2018 was reverted. Google is said to have patched the vulnerability shortly after learning of its existence.
Comments posted by developers when the rollback was done confirmed that the issue was related to an HTML sanitizer and that it introduced an XSS flaw in the Google Web Server (GWS) software.
Vag COM , TCS CDP , VAS5054A , GM Tech2 , Iprog+ Programmer , Orange 5 programmer , SBB3 PRO3 Key Programmer , wiTech MicroPod II , T300+ Key Programmer, Iprog, Scania VCI3, mercedes star diagnostic, Porsche Piwis, vocom 88890300, Renault CAN Clip, SBB Key Programmer, NEXIQ USB Link
While the analysis of the flaw focused on Google Search, LiveOverflow said the security bug likely affected other Google products that use the Closure library.
It’s unclear if Google has awarded a bug bounty for this vulnerability. SecurityWeek has reached out to Masato Kinugawa for additional information and will update this article if the researcher responds.
LiveOverflow has posted a 13-minute video detailing the vulnerability and its cause.