Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
http://www.google.com/search? xss
Posted by: anjin
Date: January 14, 2010 12:51PM

Hello

I have found a xss hole in google search.
Should i report it to google?

grtz

anjin
the netherlands

Options: ReplyQuote
Re: http://www.google.com/search? xss
Posted by: id
Date: January 14, 2010 01:19PM

You should exploit it to make sla.ckers.org is number one in search for granny pr0n

-id

Options: ReplyQuote
Re: http://www.google.com/search? xss
Posted by: rvdh
Date: January 14, 2010 02:33PM

@id

That should have been written in the ToS years ago! ;-)

Options: ReplyQuote
Re: http://www.google.com/search? xss
Posted by: anjin
Date: January 14, 2010 02:58PM

yeah that wouild have been my life's mission..if only it had the slightest sqli potential granny pron connaisseurs would have been all over this place by now..

no seriously

Options: ReplyQuote
Re: http://www.google.com/search? xss
Posted by: lightos
Date: January 14, 2010 04:48PM

Report it or share it, it's all up to you!
Can't say I'm not a little curious to see where it's located.

Options: ReplyQuote
Re: http://www.google.com/search? xss
Posted by: anjin
Date: January 14, 2010 05:17PM

wel i havent seen anything like it on xssed..its good :)

Options: ReplyQuote
Re: http://www.google.com/search? xss
Posted by: thrill
Date: January 14, 2010 05:29PM

you should report it to google by posting it here since they love us so much.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: http://www.google.com/search? xss
Posted by: sirdarckcat
Date: January 14, 2010 08:35PM

yep! they will fix it faster if you post it here... that's the most ethical thing to do.

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: http://www.google.com/search? xss
Posted by: anjin
Date: January 16, 2010 11:05AM

aight i will contact google about this issue and send the vulnerable url to xssed so kevin can put a mirror up.

Options: ReplyQuote
Re: http://www.google.com/search? xss
Posted by: anjin
Date: January 17, 2010 04:29AM

It took google only a couple of hours to fix this.

http://www.youtube.com/watch?v=VnJiGW6fsBo

Options: ReplyQuote
Re: http://www.google.com/search? xss
Posted by: sirdarckcat
Date: January 17, 2010 05:33AM

afaik google needs more than a couple of hours to deploy to all their servers in the world.

The URL was
http://www.google.com/search?source=ig&rlz=&q=foobar&undefined=cr&um=1&ie=UT F-8&tbo=1&tbs=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2fscript%3E&sa=N&tab=wb

I find it difficult to believe it took them a couple of hours, mines usually take more than a week =/

Anyway, xssed got a mirror? I want to see where was the XSS, for what we can see it was a embedded <script> (the page stops loading during the alert) and apparently before the search input box.. so that means that you were escaping from an attribute, as you payload suggests, so I will asume you were escaping from the 'Sign out' button, anyway.. I just wanna know where it was haha.

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 2 time(s). Last edit at 01/17/2010 05:38AM by sirdarckcat.

Options: ReplyQuote
Re: http://www.google.com/search? xss
Posted by: Reiners
Date: January 17, 2010 08:02AM

maybe you send a request for your name at http://www.google.com/intl/en/corporate/security.html to at least get something out of it.

nice find.

Options: ReplyQuote
Re: http://www.google.com/search? xss
Posted by: hcoder
Date: January 17, 2010 06:35PM

some delete this post ;)



Edited 1 time(s). Last edit at 01/17/2010 06:36PM by hcoder.

Options: ReplyQuote


Sorry, only registered users may post in this forum.