Sunday, February 27, 2011

Google Security Vulnerability Reward Program: Google Website Optimizer - Stored XSS

Google WebsiteOptimizer Google's free website testing and optimization tool, missed a very important check when people create their experiments. additionally they made it more easier to exploit.

What Had to be done?

The first step was creating a new experiment I preferred A/B Experiment, then I had an option to add URLs to verify my website is real, as first I inserted some string "BenHayak" for example and pressed continue.
After that screen I had an option to throw the dirty job over to my "Webmaster" - "Your Webmaster will install and do the dirty work for you ;)". Great they give me a link to Google domain validation page with links to BenHayak when I clicked it I noticed it opens a page with only "BenHayak" in the address bar.
Then I made another Experiment filled with many javascript:alert('BenHayak'); and sent this stored xss report alog with recommendation to always check for "http://" in the input.

POC link: Click to trigger the Alert stored xss

Image triggering the xss:

I appreciate the opportunity to preserve my skills and gain some more experience
Thank you Google security team.

1 comment: