Tuesday, July 9, 2013

Google Translate Manager Reflected XSS and Editor Deletion CSRF Vulnerabilities

Google Translate Manager Reflected XSS

I want to share two of my finding on Google Translator Manager which I have reported to Google in July 2012.
I have found that Google's translator manager editor application is vulnerable to Reflected Cross site Scripting attack as new parameter of this applications following Url https://translate.google.com/manager/editors?site=7e337c0c4d4b36ee is used for inputting an email id but as there is no input validation, filtration or sanitation on server side nor there is any output encoding etc to prevent this Reflected Cross site Scripting Vulnerability. So the attacker easily can steal the cookies(as http only cookie attribute missing) of any of those website users and can easily compromise there account. This vulnerabiltiy can also be exploited using the Click Jacking vulnerability or CSRF as I have reported them also before.

Original XSS Vulnerable Url(Reflected XSS Via GET & POST Requests while adding an Editor & by Injecting the XSS Payload in Invite field):

Crafted XSS Vulnerable Url:

XSS Payloads: http;//test.com<script>alert(document.cookie)</script>>

Vulnerable Parameter: new 

Reflected XSS Vulnerability POC Screenshots:

Google Translate Manager Editor Deletion CSRF
I have found that Google Translator Manager's follwoing Url https://translate.google.com/manager/editors?security_token=ALkJrhh1nJFVwo32YpPScTHeQhJ9GUZXAA:1347028470330&sel=4214ba4271023095 was vulnerable to CSRF as the Anti-CSRF(security token) token is not getting validated on the server side and the request can be sent using get and post both methods also there is a sel parameter whose value is always same and random for each mail and it can be get by attacker easily.

Original CSRF Vulnerable Url(The sel parameter is used for deleting the email id and its value is always same and random for each email id.):

Crafted CSRF Vulnerable Url:

Now the attacker sends the crafted url to the victims mail or in his chat the victim click on it and opens the crafted Url https://translate.google.com/manager/editors?sel=4214ba4271023095 on his browser as he opens this url the attacker successfully deletes any existing editors of the victims google translator manager account.(as the get request method is allowed and the Anti-CSRF token to prevent the CSRF is not getting validated on the server side even though it is implemented as following parameter security_token=ALkJrhh1nJFVwo32YpPScTHeQhJ9GUZXAA:1347028470330 and also the editors email id value for sel=4214ba4271023095(4214ba4271023095=securitytesting01@gmail.com) parameter is always same and the attacker can get this sel value very easily by using any fake account and by adding the victims email id as an editor(temporarily) in his fake google translator manager account.

The Same attack can also be done using post request method using the below mentioned code and sending it to the victim via mail using a crafted html page link:

CSRF Code:

<body onload=document.forms[0].submit();>
<form action="http://translate.google.com:80/manager/editors" method="POST">
<input type="hidden" name="sel" value="4214ba4271023095"/>

Original CSRF Vulnerable Url:

Crafted CSRF Vulnerable Url:

Both the vulnerabilities has been mitigated now.