Monday, 16 April 2012

Adding Gaug.es to Blogger, XSS by design?

I just added Gaug.es monitoring to this blog (hosted by Blogger). That can easily be done by:
  • going to the Blogger Layout page (via the admin panel)
  • at the bottom click on 'Add a Gadget'
  • chose the HTML/Javascript gadget from the 'Basics' list
  • add the Guag.es tracking code, that look something like this:

For this to work, Blogger is in essence allowing me to inject Javascript into this blogging site, which is basically persistent XSS :)

In fact , the code sample above (GIST from GitHub) is also an XSS injection, so one can also put script execution on normal posts:


So what are the security implications of this?

  • The javascriopt code will be executed under the http://diniscruz.blogspot.com/ domain, so (in principle) any script on it should not be able to affect any other *.blogspot.com domain
  • The injection of code via the blog Layout means that any blog admins can take over this blog (so that is OKish)
  • But what about Javascript on the blog post? Doesn't that mean that any author of this blog can take over the blog (by putting a payload on a page and waiting for an admin to see it?)
  • What about visitors to this blog? Is there a way to 'attack' them? 
    • For example: will it be possible to auto-post a comment (or vote) for them? It looks like comments are made from http://www.blogger.com/comment.g?... so that could prevent it
Question: Is there a write-up somewhere on the interweb about the security implications, threads and countermeasures of allowing user Script injection in a user-driven site like blogger?

This question is very relevant to me at the moment, since the 3.1 beta version of TeamMentor allows raw HTML (and Scripts) to be used on TM Articles (this is a feature requested). And I need to figure out the best way to handle it