viernes, 24 de enero de 2014

Stored XSS on Google [no bounty, no Hall of Fame]

Hi World!
A few months ago I found the method by which I could upload a flash file to Google with a XSS alert. I reported it but they said this:
Hey, Thanks for your bug report! The domain in which the feature is hosted - googlegroups.com - is specifically meant as a compartmentalized "sandbox" for various types of potentially unsafe, user-controlled content. This domain is isolated from any sensitive content due to the same-origin policy. You can read more about commonly reported false positives here: http://www.google.com/about/appsecurity/reward-program/#notavuln Regards, Adam B.

To reproduce the vulnerability I followed this steps:

Here I uploaded my .swf file with the XSS alert...
And finally...


Regards.

1 comentario:

Please, leave a comment! Thank you!