Page 1 of 1
[INVALID] Anti-XSS Protection Regex for google unsafe
Posted: Thu Aug 19, 2010 5:22 pm
by alh
The Regex in the Anti-XSS Protection for google:
Code: Select all
^https?://([a-z]+)\.google\.(?:[a-z]{1,3}\.)?[a-z]+/(?:search|custom|\1)\?
Allows for matches against domains that aren't owned by google. For example, the Anti-XSS protection doesn't work for the following example hostnames:
*
http://www.google.pzt.com/?
*
https://www.google.lol.com/custom?
As long as you have http://<subdomain>.google.<3 character domain>.<com net org etc>/? the match will work.
Not a huge issue, but not ideal.
Re: [INVALID] Anti-XSS Protection Regex for google unsafe
Posted: Thu Aug 19, 2010 5:26 pm
by Giorgio Maone
Thanks for the warning, but this is covered internally: if that regexp matches, a further test is done against the hostname ensure that the terminal part after ".google." is actually a TLD.
Re: [INVALID] Anti-XSS Protection Regex for google unsafe
Posted: Thu Aug 19, 2010 5:50 pm
by alh
In my limited testing I haven't seen this to be the case.
How would the internals even be aware that what comes after google. is a valid TLD as long as the hostname overall is a valid hostname?
google.pzt.com is a valid hostname as far as syntax goes...
Re: [INVALID] Anti-XSS Protection Regex for google unsafe
Posted: Thu Aug 19, 2010 6:32 pm
by Giorgio Maone
alh wrote:google.pzt.com is a valid hostname as far as syntax goes...
But ptz.com is not a valid TLD.
Re: [INVALID] Anti-XSS Protection Regex for google unsafe
Posted: Sat Aug 21, 2010 2:13 am
by GµårÐïåñ
To simplify, what he means is that if what comes RIGHT AFTER google is not a valid TLD, then it would fail it. So doesn't matter what type of valid hostname you put in there, if it manages to somehow satisfy the regex, then it will be nailed by failing the domain test, if it ain't google.com google.TLD then it would not satisfy that and its moot. Get it now?