Script Gadgets! Google Docs XSS Vulnerability Walkthrough

A very interesting Cross-site Scripting Issue in gDocs Spreadsheets. I get a chance to talk to the bug hunter Nick, as well as Google engineers to understand both sides. How did he find it? And why did this vulnerability exist in the first place? Nickolay: https://thisisqa.com/ The video is sponsored by Google's VRP: https://www.google.com/about/appsecur... 00:00 - Introduction 00:53 - Following reproduction steps 02:13 - What is postMessage()? 03:04 - Script Gadget: the hlc() function 03:30 - Script Gadget: ui.type instantiation 04:22 - Vulnerability summary 05:12 - Nick's focus on gviz 06:47 - Script Gadget: chartType injection 08:09 - Script Gadget: drawFromUrl exploit technique 08:57 - chartType injection fix 10:13 - Code refactoring cause of XSS 11:12 - How to find ui.type option? 14:04 - What to do with ui.type Script Gadgets? 15:13 - Why does hlc() exist?! 15:40 - JSONP sandbox 17:16 - Nick's background story =[ ❤️ Support ]= → per Video:   / liveoverflow   → per Month:    / @liveoverflow   =[ 🐕 Social ]= → Twitter:   / liveoverflow   → Website: https://liveoverflow.com/ → Subreddit:   / liveoverflow   → Facebook:   / liveoverflow