Friday, January 18, 2013

Wednesday, January 16, 2013

XSS in Google Art Project

Hi everyone.
This will be my 1st post for 2013. Hope it still not too late to wish you guys a Happy New Year. Hope you all live happily besides your love one :D

Few weeks ago, I found an XSS in one of the Google website, which is www.googleartprojects.com.
The vulnerable part found in the search box. Tested the inpur validation and checked the source page,

hmmmm???? Looks quite promising. Just testing my luck using a simple XSS payload

x”</title><img src%3dx onerror%3dalert(1)>

 and..

BOOM! its executed

My 1st XSS found in Google Inc!
Immediately made a POC report and submit it to google security team.

They received my report on Jan 7 2013.

And received this email early in the morning (different timezone -___-")
And, I'll be in the Google Hall of Fame in a next few days! Congratz to myself.

Then, I tried around to test more on it. And found that, there's a stored XSS as well in it!
BUT, unfortunately, because of my 1st report, my next report on the same website had been clarified as dupelicate -___-"



Days after submitted the report, I tried to google around about this website and found that there's already a report made by @NightRang3r (Mr Shai Rod) previously on this website. He found a stored XSS in it.


That's all.
Thanks
@yappare