About the Author

Chris Shiflett is an author and speaker who leads the web application security practice at OmniTI.

Google's XSS Vulnerability

Wed, 21 Dec 2005 at 16:41:21 GMT
21 Comments
References

The recent cross-site scripting (XSS) vulnerability discovered in Google perfectly illustrates why character encoding matters. This example demonstrates how to use PHP's htmlentities() function with the optional third argument that indicates the character encoding:

<?php 
 
$html = array(); 
 
$html['username'] = htmlentities($clean['username'], 
                                 ENT_QUOTES,
                                 'UTF-8'); 
 
echo "<p>Welcome back, {$html['username']}.</p>"; 
 
?>

The example uses UTF-8, so this should be indicated in the Content-Type header:

Content-Type: text/html; charset=UTF-8

Researchers at Watchfire realized that Google does not indicate the character encoding. They also realized that you can visit a URL such as the following to get data that you send returned in the content of the response:

http://google.com/url?EVIL

You will see the following:

Forbidden

Your client does not have permission to get URL /url?EVIL from this server.

Google fails to handle malicious attacks that use UTF-7, so all an attacker must do is target a browser that will interpret Google's response as a UTF-7 resource. Because Google does not indicate the character encoding in its Content-Type entity header, this is possible.

Unfortunately for Internet Explorer users (and Google), there is an auto select option for encoding that, if set, will interpret a resource as UTF-7 if it finds a UTF-7 character in the first 4096 bytes. Because Google's response is so small, the danger is clear.

The moral of the story is that you should always ensure character encoding consistency between your escaping function and the remote system to which you're sending data. In other words, specify the character encoding in htmlentities(), use mysql_real_escape_string() (which handles this for you), etc.

Google corrected this flaw earlier this month.

About This Post

Google's XSS Vulnerability was posted on Wed, 21 Dec 2005 at 16:41:21 GMT.

21 Comments

1. lalala said:

I'm not quite understanding it. Could you post a sample URL here and what exactly happens then?

Thanks
Wed, 21 Dec 2005 at 17:43:13 GMT Link

2. Chris Shiflett said:

The vulnerability has been fixed, so no, I can't. :-)
Wed, 21 Dec 2005 at 17:53:33 GMT Link

3. Chris Shiflett said:

Here is a helpful PHP function that you can use to convert a string to UTF-7:

http://php.net/mb_convert_encoding
Wed, 21 Dec 2005 at 17:56:47 GMT Link

4. Ivo Jansch said:

I don't understand either. To be able to comprehend how this may affect my website, could you explain how this could be exploited, even though you cannot demonstrate it?
Wed, 21 Dec 2005 at 19:53:18 GMT Link

5. Chris Shiflett said:

I explain this more thoroughly here:

http://shiflett.org/archive/178

Hope that helps. :-)
Wed, 21 Dec 2005 at 20:20:45 GMT Link

6. abc said:

<script>alert('Hi')</script>
Tue, 24 Jan 2006 at 20:41:42 GMT Link

7. the tester said:

just testing...
Thu, 26 Jan 2006 at 17:12:28 GMT Link

8. the tester said:

another test...
Thu, 26 Jan 2006 at 17:14:36 GMT Link

9. the tester said:

You are vulnerable against XSS as well. Just klick my URL above....
Thu, 26 Jan 2006 at 17:17:45 GMT Link

10. Chris Shiflett said:

I appreciate your persistence and for letting me know, but I think you still have some work to do.

Having the target of your link be javascript:foo isn't much better than asking a user to copy and paste that into the location bar. The user still has a choice in the matter.

In other words, if this is XSS, then an example CSRF attack would be to use something like this as your URL:

http://target/buy.php?isbn=059600656X

Feel free to continue to experiment, and thanks again.
Thu, 26 Jan 2006 at 17:47:41 GMT Link

11. dsingh2 said:

Hi Chris,

I am a newbie and would appreciate if you could explain how you manage to display <script>alert('hi')</script> as such in your output without using encoding.

thanks

Mon, 30 Jan 2006 at 04:03:07 GMT Link

12. Chris Shiflett said:

I use htmlentities(), and I indicate UTF-8 as the character encoding to use. This matches what I indicate in my Content-Type header:

Content-Type: text/html; charset=UTF-8
Wed, 12 Apr 2006 at 13:35:38 GMT Link

13. I'm sorry :( said:

<<SCRIPT>window.location = 'http://www.google.com/';//<</SCRIPT>
Thu, 20 Jul 2006 at 01:13:11 GMT Link

14. Justaman said:

¼script¾alert(¢Another Test¢)¼/script¾
Thu, 27 Jul 2006 at 11:20:02 GMT Link

15. watermellon said:

having fun
Fri, 28 Jul 2006 at 20:21:30 GMT Link

16. Webkatalog said:

I am getting this error message, when trying to determine a PR of a site from my remote server. However, it works on another remote server.

"Your client does not have permission to get URL ..."

I am wondering if this has something to do with the PHP installation or similar...

thanks,

Jonas
Tue, 31 Oct 2006 at 22:08:52 GMT Link

17. Paul said:

I believe I understand why to use htmlentities() when displaying output back to a Web site, but isn't the only thing that needs to be checked for is a <script> tag? What could you put in a html tag (ie. <h1> or <div>) that could be harm ful?

Thanks,

Paul
Sat, 13 Jan 2007 at 17:42:52 GMT Link

18. Chris Shiflett said:

Hi Paul,

There are many XSS examples listed here:

http://ha.ckers.org/xss.html

Hope that helps!
Sat, 13 Jan 2007 at 18:20:24 GMT Link

19. brontex said:

allow bro...

i want to ask about XSS Vulnerability, my favorite web site has been inject with this script you can see in this link

http://www.liveconnector.com/forum/...opic.php?t=6881

how can i fix this problem? please teach me, to mr christ maybe we can talk much in YM my id : adieth_illusion
Tue, 08 May 2007 at 15:11:47 GMT Link

20. Ron said:

Hello Chris, very interesting post. I just wonderd, if you want to bypass UTF-8 encoding, you used in your example at

http://shiflett.org/blog/2005/dec/google-xss-example

header('Content-Type: text/html; charset=UTF-7');

What i dont understand is that if you want to included this for the XSS Vulnerability, you have to have access to the php page? or from where that was injected?

thank you very muxh
Thu, 29 Nov 2007 at 17:22:03 GMT Link

21. XSS Tester said:

thanks for your post! ;P XSS is great fun, f.e. here:

this is an example of a .gov domain which links to my site:

my site:

http://www.onlinekatalog24.de/

and here the xss site, which is still not fixed:

http://www-odi.nhtsa.dot.gov/cars/p...mp;summary=true

which is definitely mistaken ;P
Thu, 13 Mar 2008 at 14:55:22 GMT Link

Ash Searle wrote:: It might be worth changing your example code from using htmlentities to htmlspecialchars. Runn...; Posted in Allowing HTML and Preventing XSS
Chris Shiflett wrote:: Hi Steve, According to the NYT Manual of Style and Usage, it's push-up: Most but not all co...; Posted in Miscellaneous
steve wrote:: so, is it push up, pushup or push-up? just curious... --steve --www.hundredpushups.com; Posted in Miscellaneous
Walter Lawless wrote:: It's sad to think that even now, nearly 4 years after this was originally written, that there are...; Posted in
Asanka Dewage wrote:: I've been a Mac user for over a year now and I didn't know about the [say] command! What a nifty ...; Posted in Miscellaneous

Browse Comments

Planet

Book Review: Learning jQuery: From Ken Guest
No. 172: From Jon Tan
Mozilla file icon magic: From Shane Caraveo
Had the snip: From Andrew van der Stock
Squirrel: From Rich Bowen

Explore the Planet

Fresh Links

Explore Links

Main Menu

About the Author

Google's XSS Vulnerability

About This Post