[thelist] [OT] Breaking Google...
Ken Schaefer
ken at adOpenStatic.com
Thu Oct 23 20:50:14 CDT 2003
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "Rodrigo Fonseca" <lists at vega.eti.br>
Subject: Re: [thelist] [OT] Breaking Google...
: Roger Ly wrote:
: > Offending onclick function is this:
: >
: > return
: > b('http://groups.google.com/groups?q=roger's&hl=en&lr=&ie=
: > UTF-8&oe=UTF-8 &sa=G','wg',event);
: >
: > Which has its first parameter prematurely terminated by
: > the single quote.
:
: Yes, you're right. I've just tested and it fired
: an error. Strange that Google does not filter
: single quotes... Haven't they heard about SQL
: injection yet?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
...who says they're not filtering the single quote marks? SQL Injection is
only relevant to SQL queries, and if they weren't filtering the single quote
marks, I'd expect to see a big fat ugly 500 Internal Server Error type
response from the server (because the DBMS is choking on unescaped single
quote marks).
The problem here is that they (Google) are not encoding the user supplied
input when they echo it back to the client on the results page. So, perhaps
there is scope for XSS (Cross-Site-Scripting) vulnerabilities, if they do
somehow store queries that users enter (and echo them back, eg, to internal
staff)
Cheers
Ken
Microsoft MVP - Windows Server (IIS)
More information about the thelist
mailing list