View RSS Feed


Google Fake XSS

Rating: 3 votes, 2.33 average.
Quote Originally Posted by [s] View Post
Supb Guys , Year ago i seeking Bugs in Google Applications. I found one bug which is already know to Google , in fact Google added this vulnerability to make fool (Newbies). After a long time waiting , i have deiced to release it !

Fake Vuln URL  :
Google used common payload to make fool !

It was wired for me when i use alert(1) , it was popping 41 As show in the following image.

Fake Alert Generating JS Code

        var sel = document.getElementById('f-Category');
        var inp = document.getElementById('f-Category-Other');
            if(sel.value == "other" && != 'none'){
       = 'block';
       = 'none';
                inp.onblur = function(){
                    if (inp.value == '' && == 'block'){
               = 'block';
               = 'none';
                        sel.value = 'none';
         eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('5(4.3.6(/2\\([\'"]a[\'"]\\)/))2(\'c\');7 5(4.3.6(/2\\([0-9]/))2(b);7 5(4.3.6(/2\\(8.d/))2(\'q.0.0.1\');7 5(4.3.6(/2\\(8.f/))4.3=\'g://h.i/j/k-l-m-n-o/p.e\';',27,27,'||alert|href|location|if|match|else|document||xss|42|excesses|domain|aspx|cookie|http|allrecipes|com|Recipe|Beths|Spicy|Oatmeal|Raisin|Cookies|Detail|127'.split('|'),0,{})); 
As you can see the eval function which is responsible for alerting 41 ... You can use anyother payload to alert different different output !

PS: I Don't know some one already known it ! Coz its my very old finding

Sandeep Aka [S]



Total Trackbacks 0
Trackback URL: