Stories of XSS in Google (April – May, 2016)

 

Hello,

This is my first blogpost, finally 🙂
I decided to write a post about my findings on Google Bug Bounty program in last month. I got several nice XSS but unfortunately, some of them were duplicate, but it’s okay at least I got some nice bounty for this.

It was started with a “Grant Awarded” email. I previously avoid this BB because I think it must be hard to find a bug in this program, and I think it could waste my time.

2016-06-11_2346
But after got this grant, I tried to looking for an issue and the story started….
All of the issues below have been fixed:

 

1. XSS in YouTube (Part 1)

The playlist section on YouTube was vulnerable for XSS attack. Just put the payload on the field and the alert will be popped out.
But unfortunately this issue was duplicate 🙁

bug1__

 

2. XSS in YouTube (Part 2)

I got another XSS in YouTube. It was on “Subtitle” section.
Just put the payload on “Subtitle” field then when check the transcript on video page, the alert will be popped out.

xss2

The issue was valid and I got nice bounty for this one.
Thanks Google 🙂

 

3. XSS in Google Payments

I was checking for Google Consumer Survey, and I got this XSS:

1. Create a new survey
2. Change the survey name —> Put XSS payload on it
3. Click on “Buy Now”

And the payload will be executed…..

bug1_ - Copy

After further investigation, I found that the issue is also executable under https://wallet.google.com/ and https://bpui0.google.com/

bug1_ - Copy

bug1_2 - Copy

And they decided to count them as 1 bug, but it’s okay. Again, this one was valid 🙂

 

4. XSS in Android Developers

“Search” field on Android Developer page was vulnerable for XSS attack.
The POC would be: https://developer.android.com/index.html#q=[XSS_Payload]

bug1_

This bug was duplicate. Sad but it’s okay, saga should continues…..


5. XSS in Google Inbox

This is my favorite one. After got some valid bugs, it encouraged me to do more, and after some testing session, I got this bug.
While checking this site, I started with Google Search “site:inbox.google.com” and this line appeared:

inbox

And my evil mind told me to check the “subject” and “body” parameter on this URL.
And finally….

bug1_firefox

Yeah, I got another valid one 🙂

 

6. XSS in Google Subdomain (Soon) 

Sadly, this one is also duplicate…

6

I will share the bug once the issue has been fixed.

 

===============================================================

Thank you for reading my post. Good luck with your bug hunting 🙂