XSS on Google{5.000$}-Google Vulnerability Reward Program (VRP)


 First of all, bug hunting is a very nice hobby for me. I like to research. Google is a great place to explore security vulnerabilities. Google has large areas. I started looking for vulnerabilities on Google images.

Google Images Search

When you look inside a picture, you can see the text. At the top there is a title about the site. How do I change this text with XSS? I thought about that.

I found a detail here. Many researchers may have skipped this detail. Details are sometimes very important :)

POC--------------> XSS on GOOGLE

1- I chose a site to upload the image. For example, the name of this site: example.com

An XSS payload can be placed as the main title on the page . This main title will go into the Google images.

XSS payload : "/></a></><img src=1.gif onerror=alert(1);>

Another method : Creating membership in a site 

Enter this name during registration (Member name) : "/></a></><img src=1.gif onerror=alert(1);>

2- Then I uploaded a photo. On this site: example.com

Sample picture : Trojan_horse.jpg = example.com/Trojan_horse.jpg

As a result, I created a picture with a page title.

So what you need to understand

Mathematical sample

Page title + Trojan_horse.jpg = XSS or Member Name + Trojan_horse.jpg = XSS

Page title (example.com) = "/></a></><img src=1.gif onerror=alert(1);>

Trojan_horse.jpg = example.com/Trojan_horse.jpg

and result XSS = Google image text

Thus, the text may change with XSS.

3- I started searching this image in Google images : Trojan_horse.jpg

4- 2 days later I found the picture I uploaded to google. I found XSS . Stored XSS was created.

I reported it to Google.

Reward: 5,000 $

Google is a quality company and they are very interested. Thank you :)


YouTube Video

XSS in Google İmage Search,XSS on Google

XSS in Google İmage Search,XSS on Google

XSS in Google İmage Search,XSS on Google

XSS in Google İmage Search,XSS on Google