Hello

I have found a xss hole in google search.
Should i report it to google?

grtz

anjin
the netherlands

You should exploit it to make sla.ckers.org is number one in search for granny pr0n

-id

@id

That should have been written in the ToS years ago! ;-)

yeah that wouild have been my life's mission..if only it had the slightest sqli potential granny pron connaisseurs would have been all over this place by now..

no seriously

Report it or share it, it's all up to you!
Can't say I'm not a little curious to see where it's located.

wel i havent seen anything like it on xssed..its good :)

you should report it to google by posting it here since they love us so much.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

yep! they will fix it faster if you post it here... that's the most ethical thing to do.

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

aight i will contact google about this issue and send the vulnerable url to xssed so kevin can put a mirror up.

It took google only a couple of hours to fix this.

http://www.youtube.com/watch?v=VnJiGW6fsBo

afaik google needs more than a couple of hours to deploy to all their servers in the world.

The URL was

http://www.google.com/search?source=ig&rlz=&q=foobar&undefined=cr&um=1&ie=UT F-8&tbo=1&tbs=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2fscript%3E&sa=N&tab=wb

I find it difficult to believe it took them a couple of hours, mines usually take more than a week =/

Anyway, xssed got a mirror? I want to see where was the XSS, for what we can see it was a embedded <script> (the page stops loading during the alert) and apparently before the search input box.. so that means that you were escaping from an attribute, as you payload suggests, so I will asume you were escaping from the 'Sign out' button, anyway.. I just wanna know where it was haha.

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 2 time(s). Last edit at 01/17/2010 05:38AM by sirdarckcat.

maybe you send a request for your name at http://www.google.com/intl/en/corporate/security.html to at least get something out of it.

nice find.

some delete this post ;)



Edited 1 time(s). Last edit at 01/17/2010 06:36PM by hcoder.