5up3rh3i'blog［提供有偿web代码安全审计服务］

版权声明：转载时请以超链接形式标明文章原始出处和作者信息及本声明
http://superhei.blogbus.com/logs/10645302.html

Google-xss

jx发现的一个goole的xss今天公布了:http://www.xfocus.net/articles/200711/957.html

又是一个DOM-XSS: 在登陆入口https://www.google.com/accounts/ServiceLogin?service=mail&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&ltmpl=default&ltmplcache=2&passive=truel

漏洞在function utmx_section():

<script>
function utmx_section(){}
(function(){var k='1072981003',d=document,l=d.location,c=d.cookie;function f(n){
if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);return c.substring(i+n.
length+1,j<0?c.length:j)}}}

var x=f('__utmx'),xx=f('__utmxx'),h=l.hash, //  <--document.location.hash取#后的location.hash
t=h.length>1||!xx||!xx.indexOf(k+':bypasscache');

d.write('<sc'+'ript src="'+
'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com'
+'/siteopt.js?utmxkey='+k+'&utmx='+(x?x:'')+'&utmxx='+(xx?xx:'')+(t?'&utmxtime='
+new Date().valueOf():'')+(h?'&utmxhash='+h.substr(1):'')+
'" type="text/javascript" charset="utf-8"></sc'+'ript>')})(); //<--document.write输出
</script>
<script>utmx_section("title")</script>

l.hash也就是document.location.hash被document.write出来,一个很典型的DOM-XSS

在搞这个利用的过程中发现个很郁闷的问题,就是在ie里用iframe调用这个https的 居然取不到完整的cookie,ff可以,这个问题还没有很好的解决,希望你的指点..... :)