Wednesday, October 23, 2013

XSS at Blogger

One fine night when I was editing my Blogger Account I found an awkward behavior
This caught my eye and upon digging a bit ....BOOM



POC :
The vulnerable link was : https://www.blogger.com/switch-profile.g?switchProfileSource=3&continue=/home


                                             
 



Now , Lets change this "continue"'s value = https://www.google.com

and it redirects to https://www.google.com

Lemme try something else "data:text/html;base64,......

AND......BOOM




Snapshots :






Anyways i wasn't rewarded a penny :( because of Browser Issue (nothing new with Google) and Same Origin Policy and some typical requirements and the list goes onn and on

Thanks to Google Security Team for fixing in the bug in matter of days and Listing me in Hall Of Fame



2 comments:

  1. This comes under URL redirection or something. This wont come under XSS! because the js is not executing in google site its in the redirected page. ;)

    ReplyDelete
  2. @Yogesh
    Javascript is executed with proper document.domain in Opera and this is an expected behavior

    ReplyDelete