[HN Gopher] Common Google XSS
___________________________________________________________________
Common Google XSS
Author : matan-h
Score : 127 points
Date : 2024-05-06 20:02 UTC (2 days ago)
(HTM) web link (matan-h.com)
(TXT) w3m dump (matan-h.com)
| acer4666 wrote:
| Does this JavaScript run in the same origin as the Google domain?
| Surely this is just an open redirect rather than xss?
| notachatbot1234 wrote:
| > because it's really an openredirect->xss by the book.
|
| says the article. If you disagree, could you elaborate why?
| thephyber wrote:
| Based on the payload the author describes, it _does_ look like
| an XSS.
|
| The server response probably injected the "continue" parameter
| into a <meta http-equiv="refresh" content="0: url=..." />.
| Google's bug bounty team likely would have adjusted the reward
| downward if it was not an XSS.
| AndrewThrowaway wrote:
| From article:
|
| So I tried placing there
| continue=javascript:alert(document.domain), and... It works!
|
| What do you think document.domain returns in this case?
| starmilk wrote:
| document.domain returns the current domain used in the
| document because no redirect occurred. Similar to if you
| typed it in your address bar right now, it should show you
| the HN domain.
|
| It's commonly used as a placeholder in an alert-box XSS PoC.
| Weaponising this into an actual exploit could have been a
| fetch(), css inclusion, or enumerating localstorage.
| purple-leafy wrote:
| That's awesome, I hope to collect a Google bug bounty one day
| yagop wrote:
| What is the "Easter egg in this article"?
| VPenkov wrote:
| Spoiler alert:
|
| It has an XSS vulnerability baked in - if you add a
| `?continue=javascript:alert('Hi')`, you'll see a button below
| the easter egg text
| russianjoe wrote:
| go here and click the button
|
| https://matan-h.com/common-google-xss?continue=javascript:al...
| acoyfellow wrote:
| 3,133.7 is a great reward!
| seanw265 wrote:
| Is it? I'm not so familiar with the specifics of bug bounty
| programs, but it seems like this issue could cause much more
| than 3k in damages if it were to be exploited.
|
| Similarly, I'm kind of shocked that Google is only offering 30k
| for discoveries of remote code execution vulnerabilities on
| their own servers. I don't mean to trivialize that amount of
| money, but compared to the scope of what that kind of
| vulnerability could be used for it seems insignificant. There's
| the potential for access to internal Google secrets and private
| data belonging to users. Would a government not pay 10-20x for
| something like that?
| kccqzy wrote:
| Governments achieve code execution within Google by sending
| special agents to become employees of Google.
| benregenspan wrote:
| Very nice write-up, I like that you covered all the steps
| including initial research that led you to the target
| *.googleapps.com site.
___________________________________________________________________
(page generated 2024-05-08 23:01 UTC)