About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Script Gadgets! Google Docs XSS Vulnerability Walkthrough- 229

Live Overflow and OthersPosted 5 Years Ago
  • Live Overflow interviews the finder of a XSS in Google sheets and some Google Engineers on why this existed. Super interesting to hear this from both sides!
  • The researcher found this bug several years ago in the Google Visualizer. The JavaScript library is closed source but the researcher reversed the obfuscated JavaScript! This proves, to me, that reversing difficult things provides much fruit.
  • The bug involved an arbitrary object constructor that was found in JavaScript. It turns out that passing a function to this also executes the function! This has then created an XSS gadget.
  • This bug was originally fixed but removes the worst gadget (executeFromURL) and forcing an allowlist on the allowed parameters in it. However, this vulnerability discusses a place where this regressed to remove the allowlist.
  • By specifying a particular type for a chart, it was possible to register a postMessage listener via the arbitrary constructor bug. The postMessage function is used for cross-domain requests between pages.
  • This postMessage handler took a URL and placed the code into a script tag! This allows for an arbitrary script to be injected into google docs!
  • Wow.. simply an amazing find. Watch the whole video if you want to hear from the researcher himself and the Google Engineers.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed