A day later, the XSS on the error page was fixed. Palant said he reported the issue on February 14, 2022, and his message was acknowledged the same day. It could also list Google Drive contents or start a recording session. Thereafter, the page could message Screencastify to fetch the victim's Google access token and ask Google for the user's identity. So his proof-of-concept attack did just that, loading the vulnerable page in an invisible frame and positioning it under the mouse cursor so any click would be passed through to the hidden button. But as Palant observed, the page contained no protection against framing, meaning it was susceptible to clickjacking. To make that happen, the attacker would still need to trick the victim into clicking on this button.
for Google: Web giant talks up 40 new Chromebook models, school-focused ChromeOS
So, if the query string parameter is something like javascript:alert(document.domain), will clicking this button run JavaScript code in the context of the domain? It sure will!" "Is there some link validation in between? Nope. "It’s a query string parameter," Palant explains in his post. The page contained a “View on Classroom” button that sent the user to Google Classroom using this code: window.open(urseworkLink) Palant found an XSS bug on an error page that gets presented when a user tries to submit a video after already submitting one for an assignment.
0 kommentar(er)
