One fine night when I was editing my Blogger Account I found an awkward behavior
This caught my eye and upon digging a bit ....BOOM
Now , Lets change this "continue"'s value = https://www.google.com
and it redirects to https://www.google.com
Lemme try something else "data:text/html;base64,......
AND......BOOM
Snapshots :
Anyways i wasn't rewarded a penny :( because of Browser Issue (nothing new with Google) and Same Origin Policy and some typical requirements and the list goes onn and on
Thanks to Google Security Team for fixing in the bug in matter of days and Listing me in Hall Of Fame
This caught my eye and upon digging a bit ....BOOM
POC :
The vulnerable link was : https://www.blogger.com/switch-profile.g?switchProfileSource=3&continue=/home
The vulnerable link was : https://www.blogger.com/switch-profile.g?switchProfileSource=3&continue=/home
Now , Lets change this "continue"'s value = https://www.google.com
and it redirects to https://www.google.com
Lemme try something else "data:text/html;base64,......
AND......BOOM
Snapshots :
Anyways i wasn't rewarded a penny :( because of Browser Issue (nothing new with Google) and Same Origin Policy and some typical requirements and the list goes onn and on
Thanks to Google Security Team for fixing in the bug in matter of days and Listing me in Hall Of Fame
This comes under URL redirection or something. This wont come under XSS! because the js is not executing in google site its in the redirected page. ;)
ReplyDelete@Yogesh
ReplyDeleteJavascript is executed with proper document.domain in Opera and this is an expected behavior