2020-07-31

[public] 122K views, 7.28K likes, 53.0 dislikes audio only

LiveOverflow

A very interesting Cross-site Scripting Issue in gDocs Spreadsheets. I get a chance to talk to the bug hunter Nick, as well as Google engineers to understand both sides. How did he find it? And why did this vulnerability exist in the first place?

Nickolay: https://thisisqa.com/

The video is sponsored by Google's VRP: https://www.google.com/about/appsecurity/reward-program/

00:00 - Introduction

00:53 - Following reproduction steps

02:13 - What is postMessage()?

03:04 - Script Gadget: the hlc() function

03:30 - Script Gadget: ui.type instantiation

04:22 - Vulnerability summary

05:12 - Nick's focus on gviz

06:47 - Script Gadget: chartType injection

08:09 - Script Gadget: drawFromUrl exploit technique

08:57 - chartType injection fix

10:13 - Code refactoring cause of XSS

11:12 - How to find ui.type option?

14:04 - What to do with ui.type Script Gadgets?

15:13 - Why does hlc() exist?!

15:40 - JSONP sandbox

17:16 - Nick's background story

=[ ❤️ Support ]=

→ per Video: https://www.patreon.com/join/liveoverflow

→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join

=[ 🐕 Social ]=

→ Twitter: https://twitter.com/LiveOverflow/

→ Website: https://liveoverflow.com/

→ Subreddit: https://www.reddit.com/r/LiveOverflow/

→ Facebook: https://www.facebook.com/LiveOverflow/