Security Bookmarklets

I took a couple of days from my school vacation to write 3 bookmarklets that will help me when auditing web sites, I’d like to share them here because I know that they’ll help some of my friends, and probably one of the two readers of this blog.

Text2SQLChar Converts an string into a CHAR() mysql, usefull when magic_quotes is on.
SQLIncrement Increments automatically the number of columns of the injected select query.
SQLDecrement Decrements automatically the number of columns of the injected select query.
Increment Allows you to navigate up html files or images that have a number in them.
Decrement Allows you to navigate down html files or images that have a number in them.
base64 Firefox only, base64 with no padding

I wrote the first 3 of them, I’m not javascript god, so they need to get improved, I’ll try to make them shorter, and follow a couple of suggestion from bookmarklets.com. The two others come from RSnake’ bookmarklet collection, where I fixed a detail, it was not decoding the URL before using it, so if the url contained an escaped value at the end of the url like %20, it would modify it and change it to %21. I’ll keep this post updated whenever I find or write a new security-related bookmarklet. As another issue, I noticed that the site looks ugly on low resolution systems, so I’ll try to get a new theme to fix that on a couple of days and update the wordpress version.

Google Gadgets XSS (IE6/Opera)

There is a recent discussion on ha.ckers.org regarding a possible CSRF that could allow an attacker to inject an evil gadget on someobdy else’s iGoogle page. After checking the format of the xml file used to define the gadgets properties, I noticed a couple of attributes that could be used as point of injections to active content, the thumbnail and screenshot attribute. Only one of them is vulnerable, the screenshot attribute, by using a javascript URI as value you can execute active content on certain browsers such as IE6. This is a poc that shows an alert with the current document.domain value:

www.google.com/ig/adde?moduleurl=http://beford.org/stuff/ig.xml

I’ve just notified Google about this, to avoid been a target of this flaw you can switch to Mozilla Firefox (+Noscript), or upgrade to IE7, which is not an option for Windows 2000 users.

Update: According to a friend, Rafael, Opera users are vulnerable aswell, he sent me an screenshot which you can see here: Opera Google XSS.

Update 2: Google fixed this on 27 November.