Introduction

So

you

wanna

Bug

Hunter

but it was rejected :(. The reason behind it is that I have been on/off in the bug bounty business for a while as you can see here:

e





Rule #1 of any bug hunter is to have a good RSS feed list





The rule #2 of any bug hunter is to DO NOT be to fussy with 'food' specifically with "left over"





Today's rule is:

The rule #3 of any bug hunter is DO LOOK at the old stuff



and I hope you will understand why with the next picture.

Looking at https://sites.google.com For some reasons I can't remember I was looking at https://sites.google.com and my attention was caught by something in the bottom left corner:



Well do you know what I mean? Considering what I have said above the words "Classic Sites" it is an immediate trigger for my bug bounty mind. So I decided to give a look at this "Classic Sites" and I spotted indeed something interesting:

Using this gadget functionality it is possible to import and XML based gadget to be display to the website. When I see XML import the normal connection for any security person is XXE, so I decided to give a try. I quickly discovered that Google sites implements this functionality using Apache Shinding (an old Apache project now in attic). A quick inspection in the source code (at the end is an open source project :p) showed that the code was safe regarding SSRF and exfiltration but it would be vulnerable to Billion Laugh Attack. And it is basically when I did a Tweet poll: So twitterland, I do have a working billion laughs attack on a biiiiiiig website. What should I do? — Antonio Sanso (@asanso) September 28, 2018 Billion Laugh Attack. And it is basically what I did. As usual Google security was great and gave me the permission to give a try. To be fair they were a bit skeptic that this would actually work but yeah it would not have been a big deal in any case since the target was a containerized environment. So I tried to import an XML with the most classic of the Billion Laugh Attack payloads . And guess what It kind of worked: After having a chat with few people I have decided to report this to Google and to ask the permission to poke the site for

Again not a big deal Google side due the virtualized environment. This was quickly fixed as you can see here



org.apache.shindig.common.xml.XmlException: JAXP00010001: The parser has encountered more than "64000" entity expansions in this document; this is the limit imposed by the JDK. At: (1,1)



I was actually a bit surprised by this since in Java the default value of entityExpansionLimit was set to 64000 already in JRE 1.7_45. Does it mean that Google was running a really old version of Java or maybe they were just defaulting to a different value. I do not know.

Summary Google usually doesn't pay a bounty for DOS vulnerabilities but they did a little exception this time paying a 500$ bounty. As usual big thank to the Google security team and to Roberto Clapis for help.



For more XML trickery follow me on Twitter.

tl;dr https://sites.google.com suffered from a Billion Laugh Attack vulnerability that made the containerized environment to crash with a single invocation.Few months ago I applied for a talk at a security conference titledand I would have liked to share some of the things I have learned during thse years (not necessary technical advises only). You can find a couple of these advises here: and here