Hello all!!!
Its been a long time since I blogged about my finding, so today I'm going to post about one of my XSS on Google and one of the tricks I use to find such bugs.
Let's begin, I have a trick, which you probably know or not ;), that I'm using during my tests.
The trick is to drop the request via burp suite and see what page I'll get. (Many researchers turn off WIFI).
Usually, you'll end up with an error from burp suite that the request was canceled by the user, but in many cases, you'll get an error page from the site. (I need to write an extender for it!).
Survey error page |
Burp Suite error |
I usually return to Google subdomains million times to see if there's a new change, new JS files or just to look around and see if I missed something.
I went back to survey.google.com, which lets any user create a survey, to see if I can find bugs that I didn't find in my previous visits.
After a few hours, I decided to check my trick, so here is what I did:
1. Login to https://surveys.google.com/ your-surveys
2. Turn on your burp-suite.
3. Click on the 3 dots on your right and then delete.
4. Drop the request by burp-suite and then drop it again, total of 2 requests should be dropped.
5. You'll see in the browser new page with "TRY AGAIN" and "GET HELP" links.
6. The "TRY AGAIN" href is "javascript:window.location. href=window.location.href".
7. Set the URL to be https://surveys.google.com/ your-surveys?#"><img src=y onerror=confirm(1)>
8. Chrome auditor will block your request.
2. Turn on your burp-suite.
3. Click on the 3 dots on your right and then delete.
4. Drop the request by burp-suite and then drop it again, total of 2 requests should be dropped.
5. You'll see in the browser new page with "TRY AGAIN" and "GET HELP" links.
6. The "TRY AGAIN" href is "javascript:window.location.
7. Set the URL to be https://surveys.google.com/
8. Chrome auditor will block your request.
As you can see the DOM XSS was blocked by the Chrome auditor which is enough to report to Google.
Sasi