Script Gadgets! Google Docs XSS Vulnerability Walkthrough

A very interesting Cross-site Scripting Issue in gDocs Spreadsheets. I get a chance to talk to the bug hunter Nick, as well as Google engineers to understand both sides. How did he find it? And why did this vulnerability exist in the first place?

Nickolay: https://thisisqa.com/

The video is sponsored by Google's VRP: https://www.google.com/about/appsecur...

00:00 - Introduction
00:53 - Following reproduction steps
02:13 - What is postMessage()?
03:04 - Script Gadget: the hlc() function
03:30 - Script Gadget: ui.type instantiation
04:22 - Vulnerability summary
05:12 - Nick's focus on gviz
06:47 - Script Gadget: chartType injection
08:09 - Script Gadget: drawFromUrl exploit technique
08:57 - chartType injection fix
10:13 - Code refactoring cause of XSS
11:12 - How to find ui.type option?
14:04 - What to do with ui.type Script Gadgets?
15:13 - Why does hlc() exist?!
15:40 - JSONP sandbox
17:16 - Nick's background story

=[ ❤️ Support ]=

→ per Video:   / liveoverflow  
→ per Month:    / @liveoverflow  

=[ 🐕 Social ]=

→ Twitter:   / liveoverflow  
→ Website: https://liveoverflow.com/
→ Subreddit:   / liveoverflow  
→ Facebook:   / liveoverflow