Hi There,
This is an long delayed writeup, i had reported this vulnerability around the month of march this year, but didn't realized that the bug was fixed until now.
Let's get started,
Abstract:
Google Books has implemented X-Frame-Options header for protection against ClickJacking attack.
I was able to bypass this protection and clickjack Google Books Dashboard.
Background:
So on one good evening when i was checking out some books on Google i came across this preview page which for some strange reason looked vulnerable to me and i started testing it out.
While testing the webpage i found that Google allows it's books to be embedded into another webpage by using an embed code.
This is an example embed code
The HTTP response headers of the embed code is.
By comparing the framable URL with the original Google eBook URL, I found an interesting parameter output=embed
Using this parameter Google was removing X-Frame-Options and making a book framable.
Now the question is will this parameter remove X-Frame-Options from any other webpage and make it framable?
Answer: Yes
Impact: Just by making 2 clicks on Proof-of-Concept webpage all books from your bookshelf could be deleted.
Reward: $500
Thanks for Reading :)
This is an long delayed writeup, i had reported this vulnerability around the month of march this year, but didn't realized that the bug was fixed until now.
Let's get started,
Abstract:
Google Books has implemented X-Frame-Options header for protection against ClickJacking attack.
I was able to bypass this protection and clickjack Google Books Dashboard.
Background:
So on one good evening when i was checking out some books on Google i came across this preview page which for some strange reason looked vulnerable to me and i started testing it out.
While testing the webpage i found that Google allows it's books to be embedded into another webpage by using an embed code.
This is an example embed code
<iframe frameborder="0" scrolling="no" style="border:0px" src="https://books.google.co.in/books?id=YJKbVzeabJYC&lpg=PP1&dq=web%20application%20hackers&pg=PP1&output=embed" width=500 height=500></iframe>By reading the code one could easily tell that the X-Frame-Options header protection will be turned off for the IFrame Source URL to make it framable on another webpage.
The HTTP response headers of the embed code is.
By comparing the framable URL with the original Google eBook URL, I found an interesting parameter output=embed
Original webpage URL
https://books.google.co.in/books?id=YJKbVzeabJYC&printsec=frontcover&dq=web+application+hackers&hl=en&sa=X&redir_esc=y#v=onepage&q&f=false
Framable URL
https://books.google.co.in/books?id=YJKbVzeabJYC&lpg=PP1&dq=web%20application%20hackers&pg=PP1&output=embed
Using this parameter Google was removing X-Frame-Options and making a book framable.
Now the question is will this parameter remove X-Frame-Options from any other webpage and make it framable?
Answer: Yes
HTTP Response of Google books Dashboard
HTTP Response of Google books Dashboard with output=embed parameter
Impact: Just by making 2 clicks on Proof-of-Concept webpage all books from your bookshelf could be deleted.
Reward: $500
Thanks for Reading :)