Sunday, December 15, 2013

Google Adwords Stored XSS - From Nay to Yay!

This is an old issue that I submitted to Google previously. Already shared the POC at my twitter on Sep' 13.

I promised to share a writeup on my recent finding in Google, but since the security team going to take some time to fix them, I'll share this as a replacement.

This issue was fixed in 2-3 days after my submission date. This is quite an interesting finding actually. The bug exist in the uploader function at "Upload editable report" under "Reports and uploads" tab.

A user can upload a report through this uploader for his/her reference in future. However, the filename parameter for the file can be manipulated since there's no sanitization happen on it.

The only filetype allowed to be uploaded are excel type; csv and tsv as shown in the website.
So what I did was, run a Burp to intercept the request and then change the filename into XSS payload.

Awesome!!!! A STORED XSS!! Moreover, if you guys look on it closely, the payload is properly hidden from user's view. Nice eh? haha..
Sent the report to Google team, and then wait for a few days to get their receive. At first I wonder why they took quite some times to accept this issue. Then, I realize that...this is actually...a SELF STORED XSS!!!

The team might reject or reward me with less amount if this is the case!!


Thanks to Nirgoldshlager presentation in Blackhat 2012 about his bounties I have my mind what I need to do.

As you can see, there's a function in Adwords where the owner of the account can invite his/her friend as a partner! Let us see if it working :)

yup2..our victim take his/her action to be a partner of evil mind.muahahaha..a confirmation email will be sent to us and we just need to grant the access to the victim.

Done. And the victim will get the confirmation email and then happily login into his/her Adwords account..

Sorry partner.muahahahaha...

Google Team response, 

So, I'm actually lucky since Adwords have this kind of function..but what if there's none?!!! This guy might have the answer :)

Thanks for your time. :)