Wednesday, January 16, 2013

XSS in Google Art Project

Hi everyone.
This will be my 1st post for 2013. Hope it still not too late to wish you guys a Happy New Year. Hope you all live happily besides your love one :D

Few weeks ago, I found an XSS in one of the Google website, which is
The vulnerable part found in the search box. Tested the inpur validation and checked the source page,

hmmmm???? Looks quite promising. Just testing my luck using a simple XSS payload

x”</title><img src%3dx onerror%3dalert(1)>


BOOM! its executed

My 1st XSS found in Google Inc!
Immediately made a POC report and submit it to google security team.

They received my report on Jan 7 2013.

And received this email early in the morning (different timezone -___-")
And, I'll be in the Google Hall of Fame in a next few days! Congratz to myself.

Then, I tried around to test more on it. And found that, there's a stored XSS as well in it!
BUT, unfortunately, because of my 1st report, my next report on the same website had been clarified as dupelicate -___-"

Days after submitted the report, I tried to google around about this website and found that there's already a report made by @NightRang3r (Mr Shai Rod) previously on this website. He found a stored XSS in it.

That's all.



Rasyid said...

nice finding.

Amsama Revolve said...

Cool story

Muhamad Nur Fariq said...

Tahniah dud :)

Conspiracy Sykes said...

did you got $100 ?

p0pc0rn said...

sykes, yes.

all, thanks :)

Din Mujahideen said...


Sagar Sehgal said...

Well, Good find on search mate. Sorry to say, but I was the one who stole your another 100$ ;) I reported the Persistent one first and rewarded with 200$ (2 times- 100$ each, 1 still exists in Title)


p0pc0rn said...

nahh..its ok :)
congratz on that as well

Sahil Sehgal said...
This comment has been removed by the author.
Sagar Sehgal said...

Add me on

Kinda stuck on Google's XSS. We will divide the share if we get it don! ;)

p0pc0rn said...

i'll follow your twitter then. we can DM there :)