Google bugs stories and the shiny pixelbook.
Peace upon you hunters, hope y'all doing good, My gift from google security team has landed today, Here I am sharing the bugs that got it for me, along the past year (2017) which also ranked me at 7 onto google HOF, anyway, there is nothing special about them, but folks wanted to see them.
appreciation have always had its own Words. Thanks guys @sirdarckcat pic.twitter.com/jm2aUTMMvQ
— Missoum Said (@missoum1307) February 19, 2018
1) google.com/adsense/ DOM XSS: i was rediscovering the app,I usually do that with google VRP, they push updates and new designs from time to time, and I had just noticed this url https://www.google.com/adsense/new/u/pub-444/home?host-callback-url=domain.com loading, nobody would have missed it, 100 percent of hunters would try their bullet in host-callback-url paramter, so did I, and got the XSS fired . full XSS url was as follow : https://www.google.com/adsense/new/u/pub-444/home?host-callback-url=javascript:alert(0)
2) business.google.com Stored XSS:
if you ever hunted in business.google.com then you have seen that they got an option
for editing the website of your business location, what you'll be sure of website editing is
always ability to inject at least tags like
3)changing your home temperature through leaking your nest access token in referer:
one day i was checking my phone (android device),seen that they wanted to push an update which was the google assistant
with her lovely voice lol, after the the assistant installed I ran burpsuite up and start looking around the app and i was
lucky that there were too much things to play with.
in google assistant you can control your smart home devices by linking third parties (the ones that control your smart
home's devices), what cought my attention in there is "nest" app, as its owned
by google and other are just third parties and wont be rewarded,
the attack flow was as follow:
the redireting was coming back through
4) google Local Guides Stored XSS via AngularJS Injection: if you used to share reviews, photos, about the places in google maps then you are familiar with google Local Guides product, at some certain level, google will offer you to create a meetup, creating the meetup with angularjs exprestion in name of the meetup was stored and exectued back. contribute whenever you can with google.
5) google maps reflected XSS: this one was also related to google Local Guides but diffrent root, like every hunter, I have multiple google accounts, at one point, I was trying to access a url from account with creating meetup privilege with account without that privilege and then something interesting show up on screen. a url with paramter and value, i didnt use to see, espcially when you are familiar with google vrp. the value was reflected back nacked , i mean without sanitizing special characters. so the vulnerable url was something like : google.com/maps/apis/authen?par=XSS-goes-here. I forgot to take any screenshots or record the POC, and deleted the report email. beside my account in google local guide has blocked by a google staff. lesson learn here is, always check apps,links,features with low preveillge account espcilally with Google VRP, you got no idea what'll show up.
6) explorer.earthengine.google.com reflected XSS IE only:
this XSS's found after reading Combination of
techniques lead to #DOM Based
#XSS in
#Google.
https://t.co/tqt3nbRNJX
#VRP
#XSS
#Google
//cc:@sirdarckcat
google earthengine is a planetary-scale platform for Earth science data & analysis, decided to take a look, felt
it vulnerable and my perspective was correct,
when it comes to data, the appalication should be having something like uploading or downloading data, examining
the appliaction revealed feature to add data layer from Fusion Table.
i would mention here that this feature was available in some accounts and was not in some accounts, honestly till now i dont
know why!
uploading the data, showed that the table name stored and without sanitazing but wait, the response was appliaction/json ,
checking the http headers also showed there was neither x-frame-options nor x-content-type-options, as some of you learn that i am
telling the perfect conditions to get an xss on IE 11 by forcing the content-type to be text/html .
@cure53berlin's resaerch shows a trick how to do that. their research is a treasure i highly recommend reading
it carefully.
this was a self-stored XSS till i discovered that the adding the data was lacking the CSRF protection,combining thse minor issues:
i could XSS the victim account, sometimes bugs are looking for ya .
these bugs were all i could collect, still there two or three high-bounty bugs but i couldnt find them, i hope you didnt get bored reading it. i highlighted some advices that helps you with google vrp, i would like to thank google security team,especially @sirdarckcat this guy is a strong bridge between hunters and google vrp, just leave us a comment if you feel to at @missoum1307 peace upon you.