Today I want to share a short write-up about a stored cross-site scripting (XSS) issue I found on the Google Cloud Console. I consider it a lucky find. Some of you may remember the tweet I sent to Frans Rosén after he discovered a vulnerability on Google Payments:
As it turned out, among the unsuccessful XSS payloads I saved on my Google account, there was one that actually fired. But unexpectedly. When I was originally testing my payloads, I never managed to trigger the execution until recently and inadvertently. But let’s start from the beginning.
Here’s the video POC I sent in for the Google VRP:
That’s it 🙂
Thanks to Peter @yaworsk for editing :-)! Follow him and support him by buying his book ! For more technical writeups have a look at ERNW’s Insinuator blog, I blog there now and then about Mobile Security and IPv6.
If you have any questions please feel free to contact me at patrik.fehrenbach (at) it-securityguard.com
i recently discovered a stored cross site scripting vulnerability on Paypal’s core site. The scenario is a bit weird, but i hope to explain everything as good as possible.
But when i tried to fullfill the registration the security module of Paypal showed me an error that there is some kind problem with my request. When i looked at the URL i saw that there was some kind of progress bar
To summarize the progress :
1. Create an account with the malicious Payload
2. At the point where the Paypal systems stops you from continuing erease the URL till /webapps/ (bypassed the Security restriction)
3. Create an invoice, send it to the victim
4. Victim logs into the the Account and the Payload gets executed
I did a small POC Video which describes the impact :
i recently searched for vulnerabilities on a Google service called tagmanager, this service is used for SEO operations. My main research was to look for any field that could be vulnerable to Cross Site Scripting, but every field was protected against special characters as you can see in the image below. So pretty useless to search on further on this.
So the next thing i saw was that the Tagmanager allowed a user to upload a set of definitions, tags, and Macros in form of a JSON File.
What i did next was to download the sample JSON file and edited the Name fields of the macros (which were not allowed special characters)
"name":"#“><img src=/ onerror=alert(3)>",
And guess what ? After uploading and overwriting the settings, the Payload got executed.