Connect with us

Hi, what are you looking for?

Cyber Security

XSS in Gmail’s AMP For Email earns researcher $5,000

cross-site scripting (XSS) vulnerability in AMP for Email, Gmail’s dynamic email feature, has netted a security researcher a $5,000 bug bounty payout.

AMP for Email brings AMP functionality to rich, interactive emails. AMP itself is an open source HTML framework used to optimize websites for web browsing on mobile.

Adi Cohen, who unearthed the security flaw, said he had no problem finding a vector that triggered an XSS within the AMP playground, but found bypassing Gmail’s XSS filter a much tougher assignment.

Rendering contexts

The “easiest way to circumvent an XSS filter is by tricking it into a different rendering context than what the browser will actually use to render a given piece of code”, observed Cohen in a blog post.

Since AMP for Email forbids the likes of templates, SVG, math, and CSS, he instead targeted stylesheets as a potential path to an XSS payload with multiple rendering contexts.

This required a discrepancy between how the stylesheet is rendered by the filter and browser, either by “tricking the filter into believing a fake style tag is real”, or “the exact opposite”.

Cohen’s initial vector worked in the sandbox because AMP “leaves the CSS context as soon as it encounters the string ‘</style’ even if it doesn’t have a closing bracket (>) or at least a whitespace after it”.

He was then able to “trick the filter into believing we’re back in HTML context, while the browser obviously ignores </styleX> entirely and stays well within the realm of CSS”.

</styl> over substance

But “what looked like a promising vector in AMP, seemed way less interesting after Gmail ran its magic on it,” said Cohen.

A breakthrough came when he harnessed a CSS selector, which ensured the payload was returned unchanged by Gmail – “no escaping or other mutations”.

However, the malicious payload prompted an error after the AMP sandbox encountered ‘</style’, so Cohen tried </styl>, but Gmail’s filter was wise to its resemblance to </style>.

What worked instead was testing a benign payload with an encoded selector – because Gmail decoded it, he could use the selector to inject a closing style tag.

Cohen reported the issue to Google on March 27, 2021, and noticed on July 7 that it had been fixed.

As previously reported by The Daily Swig, Google addressed an unrelated, notable XSS in AMP For Email back in 2019, after security researcher Michał Bentkowski leveraged id attributes in tags to enable ‘DOM clobbering’ attacks.

Source: https://portswigger.net/daily-swig/xss-in-gmails-amp-for-email-earns-researcher-5-000

Advertisement. Scroll to continue reading.
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Google has announced the first open-source quantum resilient FIDO2 security key implementation, which uses a unique ECC/Dilithium hybrid signature schema co-created with ETH Zurich....

Cyber Security

Google has published its annual 0-day vulnerability report, presenting in-the-wild exploitation stats from 2022 and highlighting a long-standing problem in the Android platform that...

Cyber Security

Gartner has patched a DOM XSS vulnerability found in the Peer Insights widget, a security bug researchers reckon dates back to the original development of the...

Cyber Security

Software engineers at Google have put forward a proposal that promises to clamp down on prototype pollution, a class of vulnerability that has become...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO