! [](/Article/UploadPic/2016-3/2 0 1 6 3 2 1 4 4 0 5 1 8 0 6. png? The black bar safety net) Google for Work Connect, the GWC is a System, Application Administrator, and partner community of system, but also in Google's vulnerability reward range. Shortly before, I was in the GWC community system found reflection type, a storage type, the DOM type[XSS]( a). The storage type[XSS]() In the GWC community system, different application administrators can share with each other their own point of view. This community system allows users to create documents, articles, discussion/messages there are other such as tag questions, tags, etc., the article comprising a title and a body text, the title is we are most interested in the point, but the system will put the coding into HTML entities ! [](/Article/UploadPic/2016-3/2 0 1 6 3 2 1 4 4 0 5 1 3 2 7. png? The black bar safety net) As shown above, is encoded into HTML entities, so at this point we can't use, but through Google Drive we can also do the same thing. In Google Drive, there is a“Upload a file to Google Drive”function, the uploaded file name will be the article's title. ! [](/Article/UploadPic/2016-3/2 0 1 6 3 2 1 4 4 0 5 2 8 7 4. png? The black bar safety net) As shown above, in my Google Drive upload of the“xxxxxxxx’yyyyy. PNG, then the file name is placed into a script tag in the title, but“ and there is no coding or filtering, so can be constructed[xss]( a). ! [](/Article/UploadPic/2016-3/2 0 1 6 3 2 1 4 4 0 5 2 8 3 4. png? The black bar safety net) As shown above, in Google Drive, Upload a file called confirm(document. domain)of the file, then the file name is nested into the GWC community system, The[xss]()is the storage type[xss](), any logged in user to see the article, will trigger the[xss]( a). This storage type[xss]()to form the Genesis is the GWC community system in the introduction of other application data to Google Drive, not the data control/encoding/filter and used directly, but in their respective applications, for the user-submitted data is treated very well. The reflection type[XSS]() If you can trigger the error such as in Google Drive, the file didn't upload well, the GWC community system will be in the GET request”googleDriveError”parameter throws an error message, This parameter can be configured of a reflective type[xss](a). Also if you can construct an authentication error, the error information will also be placed in the GET request the“error”parameter. As shown below, the GET request of “googleDriveError”parameter contains our harmless test character“xxxxxxxx’yyyyy。 ! [](/Article/UploadPic/2016-3/2 0 1 6 3 2 1 4 4 0 5 2 5 5 8. png? The black bar safety net) In the above figure, you also can see and not be encoded into HTML entities. ! [](/Article/UploadPic/2016-3/2 0 1 6 3 2 1 4 4 0 5 2 6 2 2. png? The black bar safety net) As shown above, the GET request of“googleDriveError”parameters to construct[xss]( a). ! [](/Article/UploadPic/2016-3/2 0 1 6 3 2 1 4 4 0 5 2 3 5 0. png? The black bar safety net) As shown above, by the GET request to the“error”parameter to construct[xss]( a). DOM - [XSS]() The culprit is the window. location. hash. substring(1), but there is a limit: only when a user mark an article as“Mark as Helpful”to trigger the[xss](a). The problematic JavaScript code is as follows: ... {if(window. location. hash){c. scrollTo("a[name='"+window. location. hash. substring(1)+"']")} ... ! [](/Article/UploadPic/2016-3/2 0 1 6 3 2 1 4 4 0 5 2 8 6 5. png? The black bar safety net) As shown above, the article is not marked as“Mark as Helpful”, so does not trigger the[xss]( a). ! [](/Article/UploadPic/2016-3/2 0 1 6 3 2 1 4 4 0 5 2 2 9 0. png? The black bar safety net) As shown above, the article is marked as“Mark as Helpful”, so the trigger of the[XSS]( a).

Query Builder