Wednesday, February 16, 2011

Google Security Vulnerability Reward Program: Google Finance Stored XSS

Google Finance lets you create Portfolios. After a few tries I figured a method to 
Trigger XSS using portfolio name.

What Had to be done?

OK, at First I used different payloads in the Portfolio name but nothing triggered,
but after some more research I found that after I create my Portfolio payload and click on one of these Deposit / Withdraw my Portfolio name is inserted into this function
function initPage() {
dview ={
id: '8',
expected_hash: 'U66jb3VTR2ZPUjgtaXJqaXRZc2s33VNmVWdjfDEyOTc4NzE22NDk',
edition: 'us',
name: '--XSS PAYLOAD--',
currency: 'USD'
}, true,
name: '--XSS PAYLOAD--' , so I inserted this payload as portfolio name: </script><body onload=alert(1)>  there was a filter that when you insert this </script> the server removed everything before the </script>

I appreciate the opportunity to preserve my skills and gain some more experience
Thank you Google security team.


  1. Do you got a reward for that bug?

  2. The Answer is no, this is the first one I found and just wanted to share the finding,
    Google Security Team acknowledged me that someone else reported this issue before i have.

  3. Hey Ben,

    I asked because I was the guy who reported the issue before.
    Btw. I checked the bug again right now. And the fix is incomplete. 8-)