About the Author

Chris Shiflett

Hi, I’m Chris: web craftsman, community leader, husband, father, and partner at Fictive Kin.


Google's XSS Vulnerability

The recent cross-site scripting (XSS) vulnerability discovered in Google perfectly illustrates why character encoding matters. This example demonstrates how to use PHP's htmlentities() function with the optional third argument that indicates the character encoding:

<?php 
 
$html = array(); 
 
$html['username'] = htmlentities($clean['username'], 
                                 ENT_QUOTES,
                                 'UTF-8'); 
 
echo "<p>Welcome back, {$html['username']}.</p>"; 
 
?>

The example uses UTF-8, so this should be indicated in the Content-Type header:

Content-Type: text/html; charset=UTF-8

Researchers at Watchfire realized that Google does not indicate the character encoding. They also realized that you can visit a URL such as the following to get data that you send returned in the content of the response:

http://google.com/url?EVIL

You will see the following:

Forbidden

Your client does not have permission to get URL /url?EVIL from this server.

Google fails to handle malicious attacks that use UTF-7, so all an attacker must do is target a browser that will interpret Google's response as a UTF-7 resource. Because Google does not indicate the character encoding in its Content-Type entity header, this is possible.

Unfortunately for Internet Explorer users (and Google), there is an auto select option for encoding that, if set, will interpret a resource as UTF-7 if it finds a UTF-7 character in the first 4096 bytes. Because Google's response is so small, the danger is clear.

The moral of the story is that you should always ensure character encoding consistency between your escaping function and the remote system to which you're sending data. In other words, specify the character encoding in htmlentities(), use mysql_real_escape_string() (which handles this for you), etc.

Google corrected this flaw earlier this month.

About this post

Google's XSS Vulnerability was posted on Wed, 21 Dec 2005. If you liked it, follow me on Twitter or share:

12 comments

1.lalala said:

I'm not quite understanding it. Could you post a sample URL here and what exactly happens then?

Thanks

Wed, 21 Dec 2005 at 17:43:13 GMT Link


2.Chris Shiflett said:

The vulnerability has been fixed, so no, I can't. :-)

Wed, 21 Dec 2005 at 17:53:33 GMT Link


3.Chris Shiflett said:

Here is a helpful PHP function that you can use to convert a string to UTF-7:

http://php.net/mb_convert_encoding

Wed, 21 Dec 2005 at 17:56:47 GMT Link


4.Ivo Jansch said:

I don't understand either. To be able to comprehend how this may affect my website, could you explain how this could be exploited, even though you cannot demonstrate it?

Wed, 21 Dec 2005 at 19:53:18 GMT Link


5.Chris Shiflett said:

I explain this more thoroughly here:

http://shiflett.org/archive/178

Hope that helps. :-)

Wed, 21 Dec 2005 at 20:20:45 GMT Link


6.abc said:

<script>alert('Hi')</script>

Tue, 24 Jan 2006 at 20:41:42 GMT Link


7.the tester said:

just testing...

Thu, 26 Jan 2006 at 17:12:28 GMT Link


8.the tester said:

another test...

Thu, 26 Jan 2006 at 17:14:36 GMT Link


9.the tester said:

You are vulnerable against XSS as well. Just klick my URL above....

Thu, 26 Jan 2006 at 17:17:45 GMT Link


10.Chris Shiflett said:

I appreciate your persistence and for letting me know, but I think you still have some work to do.

Having the target of your link be javascript:foo isn't much better than asking a user to copy and paste that into the location bar. The user still has a choice in the matter.

In other words, if this is XSS, then an example CSRF attack would be to use something like this as your URL:

http://target/buy.php?isbn=059600656X

Feel free to continue to experiment, and thanks again.

Thu, 26 Jan 2006 at 17:47:41 GMT Link


11.dsingh2 said:

Hi Chris,

I am a newbie and would appreciate if you could explain how you manage to display <script>alert('hi')</script> as such in your output without using encoding.

thanks

Mon, 30 Jan 2006 at 04:03:07 GMT Link


12.Chris Shiflett said:

I use htmlentities(), and I indicate UTF-8 as the character encoding to use. This matches what I indicate in my Content-Type header:

Content-Type: text/html; charset=UTF-8

Wed, 12 Apr 2006 at 13:35:38 GMT Link


13.I'm sorry :( said:

<<SCRIPT>window.location = 'http://www.google.com/';//<</SCRIPT>

Thu, 20 Jul 2006 at 01:13:11 GMT Link


14.Justaman said:

¼script¾alert(¢Another Test¢)¼/script¾

Thu, 27 Jul 2006 at 11:20:02 GMT Link


15.watermellon said:

having fun

Fri, 28 Jul 2006 at 20:21:30 GMT Link


16.Webkatalog said:

I am getting this error message, when trying to determine a PR of a site from my remote server. However, it works on another remote server.

"Your client does not have permission to get URL ..."

I am wondering if this has something to do with the PHP installation or similar...

thanks,

Jonas

Tue, 31 Oct 2006 at 22:08:52 GMT Link


17.Paul said:

I believe I understand why to use htmlentities() when displaying output back to a Web site, but isn't the only thing that needs to be checked for is a <script> tag? What could you put in a html tag (ie. <h1> or <div>) that could be harm ful?

Thanks,

Paul

Sat, 13 Jan 2007 at 17:42:52 GMT Link


18.Chris Shiflett said:

Hi Paul,

There are many XSS examples listed here:

http://ha.ckers.org/xss.html

Hope that helps!

Sat, 13 Jan 2007 at 18:20:24 GMT Link


19.brontex said:

allow bro...

i want to ask about XSS Vulnerability, my favorite web site has been inject with this script you can see in this link

http://www.liveconnector.com/forum/...opic.php?t=6881

how can i fix this problem? please teach me, to mr christ maybe we can talk much in YM my id : adieth_illusion

Tue, 08 May 2007 at 15:11:47 GMT Link


20.Ron said:

Hello Chris, very interesting post. I just wonderd, if you want to bypass UTF-8 encoding, you used in your example at

http://shiflett.org/blog/2005/dec/google-xss-example

header('Content-Type: text/html; charset=UTF-7');

What i dont understand is that if you want to included this for the XSS Vulnerability, you have to have access to the php page? or from where that was injected?

thank you very muxh

Thu, 29 Nov 2007 at 17:22:03 GMT Link


21.XSS Tester said:

thanks for your post! ;P XSS is great fun, f.e. here:

this is an example of a .gov domain which links to my site:

my site:

http://www.onlinekatalog24.de/

and here the xss site, which is still not fixed:

http://www-odi.nhtsa.dot.gov/cars/p...mp;summary=true

which is definitely mistaken ;P

Thu, 13 Mar 2008 at 14:55:22 GMT Link


22.Dennis Gearon said:

I would really like to see a 'sequence diagram' for how the google example actually happens. In particular, how UTF7 text sent through 'htmlentities' gets interpreted as JavaScript?

Mon, 01 Sep 2008 at 04:25:38 GMT Link


Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.