Pages

Wednesday, February 16, 2011

Google Security Vulnerability Reward Program: Google Finance Stored XSS

Overview
Google Finance lets you create Portfolios. After a few tries I figured a method to 
Trigger XSS using portfolio name.

What Had to be done?

OK, at First I used different payloads in the Portfolio name but nothing triggered,
but after some more research I found that after I create my Portfolio payload and click on one of these Deposit / Withdraw my Portfolio name is inserted into this function
function initPage() {
initVars();
dview = google.finance.portfolio.init({
id: '8',
expected_hash: 'U66jb3VTR2ZPUjgtaXJqaXRZc2s33VNmVWdjfDEyOTc4NzE22NDk',
edition: 'us',
name: '--XSS PAYLOAD--',
currency: 'USD'
}, true,
'/finance/s/7skxqAM7Z8M/chart9.swf?hl=en&gl=us',
true
,
false,
''
);
name: '--XSS PAYLOAD--' , so I inserted this payload as portfolio name: </script><body onload=alert(1)>  there was a filter that when you insert this </script> the server removed everything before the </script>


I appreciate the opportunity to preserve my skills and gain some more experience
Thank you Google security team.

5 comments:

  1. Do you got a reward for that bug?

    ReplyDelete
  2. The Answer is no, this is the first one I found and just wanted to share the finding,
    Google Security Team acknowledged me that someone else reported this issue before i have.

    ReplyDelete
  3. Hey Ben,

    I asked because I was the guy who reported the issue before.
    Btw. I checked the bug again right now. And the fix is incomplete. 8-)

    ReplyDelete