Thursday, 12 December 2013
4 comments

Un-patched Google Vulnerabilities, #FAIL Bug Bounty Program

Today we are going to expose some live Google Vulnerabilities which are not under bug bounty program.

1. XSS On Google Vulnerability Submission Page:


https://www.google.com/appserve/security-bugs/new?rl=%3Cscript%3Ealert%281%29%3C%2Fscript%3E

Above script gives XSS on Google vulnerability submit page.. isn't it funny.. :P

2. XSS on Google Translate Page
When we reported about the above code then we got reply by Google.

"Cross-site scripting vulnerabilities in “sandbox” domains. We maintain a number of domains that leverage the same-origin policy to safely isolate certain types of untrusted content; the most prominent example of this is "*.googleusercontent.com". Unless an impact on sensitive user data can be demonstrated, we do not consider the ability to execute JavaScript in that domain to be a bug."

3. Redirect URL

http://www.google.com/search?source=hackersonlineclub.com&hl=www.hackersonlineclub.com&q=www.hackersonlineclub.com&btnG=www.hackersonlineclub.com&btnI=www.hackersonlineclub.com

http://www.google.com/search?btnI&q=allinurl:http://www.hackersonlineclub.com/

"URL redirection. We recognize that the address bar is the only reliable security indicator in modern browsers; consequently, we hold that the usability and security benefits of a small number of well-designed and closely monitored redirectors outweigh their true risks."

-> The first point is an Easter egg. when you will try below script
https://www.google.com/appserve/security-bugs/new?rl=<script>alert(document.cookie)</script>
 then the page will redirect to 
http://allrecipes.com/Recipe/Beths-Spicy-Oatmeal-Raisin-Cookies/Detail.aspx

-> The second one is on a sandbox domain *.googleusercontent.com

-> Redirect URL all recognized & monitored by Google.

So all above scripts code are not under bug bounty program of Google.

4 comments:

  1. The fail is yours, try to put alert(document.cookie), you will be redirected to http://allrecipes.com/Recipe/Beths-Spicy-Oatmeal-Raisin-Cookies/Detail.aspx

    ReplyDelete
  2. Hi Proph3t, Yes we already known about that.. its an Easter egg..

    ReplyDelete
    Replies
    1. hi admin thanks can u help me ...find some ..000..http://www.dotmic.com/ this is my site

      Delete

 
Toggle Footer
Top