Researcher bypasses email filter with inspired style tag trickery.
A cross-site scripting (XSS) vulnerability in AMP for Email, Gmail’s dynamic email feature, has netted a security researcher a $5,000 bug bounty payout.
AMP for Email brings AMP functionality to rich, interactive emails. AMP itself is an open source HTML framework used to optimize websites for web browsing on mobile.
Adi Cohen, who unearthed the security flaw, said he had no problem finding a vector that triggered an XSS within the AMP playground, but found bypassing Gmail’s XSS filter a much tougher assignment.
The “easiest way to circumvent an XSS filter is by tricking it into a different rendering context than what the browser will actually use to render a given piece of code”, observed Cohen in a blog post.
Since AMP for Email forbids the likes of templates, SVG, math, and CSS, he instead targeted stylesheets as a potential path to an XSS payload with multiple rendering contexts.
This required a discrepancy between how the stylesheet is rendered by the filter and browser, either by “tricking the filter into believing a fake style tag is real”, or “the exact opposite”.
Cohen’s initial vector worked in the sandbox because AMP “leaves the CSS context as soon as it encounters the string ‘</style’ even if it doesn’t have a closing bracket (>) or at least a whitespace after it”.
He was then able to “trick the filter into believing we’re back in HTML context, while the browser obviously ignores </styleX> entirely and stays well within the realm of CSS”.
</styl> over substance
But “what looked like a promising vector in AMP, seemed way less interesting after Gmail ran its magic on it,” said Cohen.
A breakthrough came when he harnessed a CSS selector, which ensured the payload was returned unchanged by Gmail – “no escaping or other mutations”.
However, the malicious payload prompted an error after the AMP sandbox encountered ‘</style’, so Cohen tried </styl>, but Gmail’s filter was wise to its resemblance to </style>.
What worked instead was testing a benign payload with an encoded selector – because Gmail decoded it, he could use the selector to inject a closing style tag.
Cohen reported the issue to Google on March 27, 2021, and noticed on July 7 that it had been fixed.
Google addressed an unrelated, notable XSS in AMP For Email back in 2019, after security researcher Michał Bentkowski leveraged id attributes in tags to enable ‘DOM clobbering’ attacks.
Snapchat enables parents to keep an eye on who their kids are messaging on the platform
Former Super Eagles assistant coach takes over as manager of Danish team Jammerbugt
Alex Iwobi: “We were unfortunate” Everton can compete against any team
The DG exhorts NYSC members to accept postings in good faith
Students urge the FG once more to abide by the demands of ASUU
IG orders a comprehensive review of the Intelligence Units and expresses displeasure with police brutality and extortion
Buhari celebrates Ngige as he turns 70
Troops strike the Boko Haram commander and 27 others in Borno
Director of “Blood Sisters” Biyi Bandele passes away at 54
Davido posts a screenshot of himself and Chioma on a video conversation with the caption, “My gist partner.”
Dame Olivia Newton-John, a star of Grease, passes away at age 73
The Comanche warrior paint’s significance is explained by Prey star Amber Midthunder
Hold Me Closer, a collaboration song between Britney Spears and Sir Elton John, making the singer’s first single to be released since 2016
Your daily horoscope for Tuesday, August 9, 2022
BBNaija S7: Phyna, Bryann, Groovy, Ilebaye, and Khalid are up for eviction
“I’m sorry for all the embarrassment I’ve caused my wife, my kids, my mother and all our families,” – Two Face Idibia
How and when to view the best meteor shower of the year, the Perseids meteor shower, in 2022
Apple allegedly instructs suppliers to avoid labeling shipments to China with “Made in Taiwan”
Super Eagles hero celebrates Premier League accomplishment as “Dream Turns Reality”
Frenkie de Jong makes Chelsea transfer decision in phone call with Todd Boehly
Police re-arrest 25 other suspects and the escapee from Jos prison
Lagos policeman shoot and murder an ex-convict while battling with armed criminals
Cleaner received an eight-month sentence for stealing a laptop bag
Dariye and Nyame recover their freedom, 4 months after Buhari’s pardon
BREAKING: WAEC announces the 2022 WASSCE results
“Buga” is a victory song for Nigerian medalists
Kizz Daniel dazzles in a sold-out performance in Uganda
After four years of marriage, Gideon Okeke’s wife is getting a divorce
BBNaija S7: Beauty’s brother burns critics over disqualification: “Calm down, her script was wonderful.”
Your daily horoscope for Monday, August 8, 2022
#BBNaija: Christy O, Cyph evicted
Deadly Barcelona Thrashed PUMAS to win trophy, Lewandoski gets debut goal
Reactions to Manchester City’s opening-game 2-0 victory over West Ham: “Erling Haaland is scary.”
BBNaija S7: Beauty eliminated from reality TV show
Erik Ten Hag Chops First Breakfast as Man Utd Manager as Brighton Wins 2-1
Man Utd must let Ronaldo leave – Wayne Rooney
Australia Scholarship: Apply for Griffith University degree scholarship, 2022
Edo Govt To Recruit 1000 New Teachers, Train 650 Others
Ebonyi Govt Laments Destruction Of Airport Fence
Transfer: Real Madrid star, Isco to Sevilla as free agent
[STORY] THE WITCH’S DAUGHTER (Complete Episodes)
[STORY] MONEY OVER LOVE (Complete Episodes)
[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Complete Episodes)
[STORY] THE WITCH’S DAUGHTER (Episode 07)
[STORY] SADE’S HEART TALE (Episode 19)
[STORY] THE WITCH’S DAUGHTER (Episode 03)
[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Episode 01)
[STORY] MONEY OVER LOVE (Episode 01)
[STORY] THE WITCH’S DAUGHTER (Episode 01)
[STORY] MONEY OVER LOVE (Episode 09)
Revealed: Why Watford goalkeeper Maduka Okoye was not included in the team on Monday
[STORY] THE WITCH’S DAUGHTER (Episode 05)
[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Final Episode 04)
[STORY] THE WITCH’S DAUGHTER (Episode 04)
[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Episode 02)
[STORY] THE WITCH’S DAUGHTER (Episode 06)
[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Episode 03)
[STORY] MONEY OVER LOVE (Episode 04)
[STORY] THE WITCH’S DAUGHTER (Episode 02)
[STORY] MONEY OVER LOVE (Episode 05)
[STORY] MONEY OVER LOVE (Episode 03)
[STORY] THE WITCH’S DAUGHTER (Final Episode 09)
[STORY] MONEY OVER LOVE (Episode 12)
[STORY] MONEY OVER LOVE (Episode 08)
[STORY] MONEY OVER LOVE (Episode 02)
[STORY] MONEY OVER LOVE (Episode 06)
BBNaija S7: Amaka and Phyna bemoan the lack of condoms in the home
Epic movie “Anikulapo” by Kunle Afolayan is scheduled to premiere in September
[STORY] THE WITCH’S DAUGHTER (Episode 08)
[STORY] MONEY OVER LOVE (Episode 14)
[STORY] MONEY OVER LOVE (Episode 11)
Nkem Owoh Breaks Silence On Claims He Rejected N10 Million To Endorse Bola Tinubu For President
[STORY] MONEY OVER LOVE (Episode 17)
[STORY] MONEY OVER LOVE (Episode 18)
[STORY] MONEY OVER LOVE (Final Episode 20)
[STORY] MONEY OVER LOVE (Episode 10)
“Nancy Isime Did Butt Enlargement Surgery” – Blessing Okoro Makes Shocking Revelation
BBNaija S7: Denrele claims that bbnaija candidates send him n*des and millions of naira in order to take part in the show
[STORY] MONEY OVER LOVE (Episode 19)
[STORY] MONEY OVER LOVE (Episode 13)
ANE's Billboard Hots
Technology1 month ago
VoIP Number: Everything You Need To Know
Music6 years ago
[Music] Ed Sheeran – Perfect
Music5 years ago
[Music] Wiz Khalifa – See You Again ft. Charlie Puth
Music1 month ago
[Instrumental] Wiz Khalifa – See You Again ft. Charlie Puth
ANE Stories1 month ago
The Story Of My Life (Complete Episode 1 – 47)
Movie Subtitle1 month ago
DOWNLOAD Complete Money Heist Season 1 Subtitles File [English SRT] 2017
Music1 month ago
[Video] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me
Music3 years ago
[Music] Gnash Ft Olivia O’Brien – I Hate you, I Love you