Experts Find DOM XSS Flaw in “+1” Button of Google Plus - Video

The vulnerability was found with the aid of a tool called DOMinatorPro

By on November 5th, 2012 15:02 GMT

Security researchers from Minded Security have identified a DOM-based cross-site scripting (XSS) vulnerability in the +1 button of the Google Plus social network. The flaw has been discovered with the aid of DOMinatorPro, a clever tool that can be highly useful for finding such bugs in JavaScript web apps.

The vulnerability was caused by the lack of proper input validation mechanisms. To demonstrate their findings, the researchers have published a technical analysis of the flaw, along with a proof-of-concept video that also shows how DOMinatorPro works.

Before making their findings public, the experts notified Google, which rushed to address the issue by performing input validations.

Experts say that because JavaScript is not easy to analyze, DOM XSS vulnerabilities are often untested.

However, with a tool such as the DOMnatorPro, webmasters and penetration testers can easily test an app even with little JavaScript knowledge.

Comments