viernes, 14 de febrero de 2014

Google Currents Stored XSS [Sandbox, no fix]

Hi all!
This afternoon I remembered one of my Google XSSes and I want to publish it. When I found it, I reported it to the Google Security Team and they said me that it was a sandbox domain, so I wasn't eligible for a reward.

I understand it, but... it is a real XSS, so I am going to publish it ((:
To reproduce it:
  1. Go to: https://www.google.com/producer/home
  2. Create a new edition (random values).
  3. Create a new section of articles.
  4. Create a new article inside of your new section.
  5. Type random values (as allways), but type your XSS payload in the "Body" field or "Title" field.
  6. Publish the article and you will get your XSS alert.
But... what if I visit my article with my phone?
YES! I will get the same XSS alert :D

 A few images:



Kind regards!

3 comentarios:

  1. It is very good :) Thank you for the share..

    ResponderEliminar
  2. Sorry for my english. Did google fixed the problem? I have just tested and got no problems. What xss code did you type?

    ResponderEliminar
    Respuestas
    1. No, no lo han arreglado aún. El vector de ataque fue uno simple pero que combina la mayoría de los que uso. Saludos.

      Eliminar

Please, leave a comment! Thank you!