[BugBounty] The 5000$ Google XSS

Dear followers,

i recently searched for vulnerabilities on a Google service called tagmanager, this service is used for SEO operations. My main research was to look for any field that could be vulnerable to Cross Site Scripting, but every field was protected against special characters as you can see in the image below. So pretty useless to search on further on this.
mac

So the next thing i saw was that the Tagmanager allowed a user to upload a set of definitions, tags, and Macros in form of a JSON File. json

What i did next was to download the sample JSON file and edited the Name fields of the macros (which were not allowed special characters)

      "data": {
        "name": "#“><img src=/ onerror=alert(3)>",
        "type": "AUTO_EVENT_VAR",
        "autoEventVarMacro": {
          "varType": "HISTORY_NEW_URL_FRAGMENT"
        }

And guess what ? After uploading and overwriting the settings, the Payload got executed.

Here’s the POC Video i sent in

 

Hope you enjoyed! 🙂

10721113_572544522871857_964844342_n

all the best

Patrik

 

 

7 Gedanken zu „[BugBounty] The 5000$ Google XSS

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.