Month ago i got success in finding XSS (Cross site scripting) on one of the google acquisition, named as wildfirapp and google paid me some bucks and hall of fame in Reward Section, Here's how i did it :)
My first target was google.com but spending whole day to search vulnerability on google.com at end i got nothing, you know it's 2013 and it's really pain to hit google till you are not doing something weird,
well after facing failure on google.com i moved toward the acquisition and by googling few more minutes i got wildfireapp.com (Actually got lot of result and indirectly i picked it, and luckily got success) and here's wildfireapp.com acquisition news : http://wildfireapp.blogspot.in/2012/07/wildfire-is-joining-google.html (Don't ask now how i found it)
lets continue , time to signup , did in 2 minutes now testing time :D
After logged in got redirect to URL
https://promos.wildfireapp.com/dashboard/contests
i was searching for form where i can pass my vector and execute it, Few tabs on left hand side,
Everyone have their own testing strategy here's mine, lets be noob i pasted my vector in every field,
My vector was :
"><img src=x onerror=prompt(document.cookie);>
after saving, time to check preview
And vector got execute in Contest field and finally made it,
but now problem was self xss(i forgot to take screenshot), google won't payout for self xss : Bad luck
again By spending few minutes i realize that the same page is vulnerable for Clickjacking Attack so i can combine xss & clickjacking and Exploit the unexploitable XSS with clickjacking, you can read it here to how to do it : http://blog.kotowicz.net/2011/03/exploiting-unexploitable-xss-with.html
But thats not necessary on preview there was two options Private and public, by selecting public i got one link, copied and pasted it in tab and vector got executed, Cool ! Now it's Stored xss :D
It's Patched but still POC URL : http://promoshq.wildfireapp. com/website/6/contests/325365? contest_design_id=20964& preview_key= ecfb838f12758a5462e735142412f4 57
At last thank you google security team for quick response and patch
My first target was google.com but spending whole day to search vulnerability on google.com at end i got nothing, you know it's 2013 and it's really pain to hit google till you are not doing something weird,
well after facing failure on google.com i moved toward the acquisition and by googling few more minutes i got wildfireapp.com (Actually got lot of result and indirectly i picked it, and luckily got success) and here's wildfireapp.com acquisition news : http://wildfireapp.blogspot.in/2012/07/wildfire-is-joining-google.html (Don't ask now how i found it)
lets continue , time to signup , did in 2 minutes now testing time :D
After logged in got redirect to URL
https://promos.wildfireapp.com/dashboard/contests
i was searching for form where i can pass my vector and execute it, Few tabs on left hand side,
Everyone have their own testing strategy here's mine, lets be noob i pasted my vector in every field,
My vector was :
"><img src=x onerror=prompt(document.cookie);>
after saving, time to check preview
And vector got execute in Contest field and finally made it,
but now problem was self xss(i forgot to take screenshot), google won't payout for self xss : Bad luck
again By spending few minutes i realize that the same page is vulnerable for Clickjacking Attack so i can combine xss & clickjacking and Exploit the unexploitable XSS with clickjacking, you can read it here to how to do it : http://blog.kotowicz.net/2011/03/exploiting-unexploitable-xss-with.html
But thats not necessary on preview there was two options Private and public, by selecting public i got one link, copied and pasted it in tab and vector got executed, Cool ! Now it's Stored xss :D
It's Patched but still POC URL : http://promoshq.wildfireapp.
At last thank you google security team for quick response and patch
Nice! (y) And Congo! :)
ReplyDeletehow much bounty? I was doing bounty on Google and Yahoo too. Ive got one pending report. Im still waiting for it
ReplyDelete“>”@x.y
ReplyDelete