Overview:
Trigger XSS using portfolio name.
What Had to be done?
OK, at First I used different payloads in the Portfolio name but nothing triggered, but after some more research I found that after I create my Portfolio payload and click on one of these Deposit / Withdraw my Portfolio name is inserted into this function
function initPage() {
initVars();
dview = google.finance.portfolio.init({
id: '8',
expected_hash: 'U66jb3VTR2ZPUjgtaXJqaXRZc2s33VNmVWdjfDEyOTc4NzE22NDk',
edition: 'us',
name: '--XSS PAYLOAD--',
currency: 'USD'
}, true,
'/finance/s/7skxqAM7Z8M/chart9.swf?hl=en&gl=us',
true
,
false,
''
);
name: '--XSS PAYLOAD--' , so I inserted this payload as portfolio name: </script><body onload=alert(1)> there was a filter that when you insert this </script> the server removed everything before the </script>
I appreciate the opportunity to preserve my skills and gain some more experience
Thank you Google security team.
Do you got a reward for that bug?
ReplyDeleteThe Answer is no, this is the first one I found and just wanted to share the finding,
ReplyDeleteGoogle Security Team acknowledged me that someone else reported this issue before i have.
Hey Ben,
ReplyDeleteI asked because I was the guy who reported the issue before.
Btw. I checked the bug again right now. And the fix is incomplete. 8-)
thanks
ReplyDelete