XSS on Google{5.000$}-Google Vulnerability Reward Program (VRP)


Hi

 First of all, bug hunting is a very nice hobby for me. I like to research. Google is a great place to explore security vulnerabilities. Google has large areas. I started looking for vulnerabilities on Google images.



Google Images Search


When you look inside a picture, you can see the text. At the top there is a title about the site. How do I change this text with XSS? I thought about that.

I found a detail here. Many researchers may have skipped this detail. Details are sometimes very important :)



POC--------------> XSS on GOOGLE


1- I chose a site to upload the image. For example, the name of this site: example.com

An XSS payload can be placed as the main title on the page . This main title will go into the Google images.

XSS payload : "/></a></><img src=1.gif onerror=alert(1);>

Another method : Creating membership in a site 

Enter this name during registration (Member name) : "/></a></><img src=1.gif onerror=alert(1);>

2- Then I uploaded a photo. On this site: example.com

Sample picture : Trojan_horse.jpg = example.com/Trojan_horse.jpg

As a result, I created a picture with a page title.

So what you need to understand

Mathematical sample

Page title + Trojan_horse.jpg = XSS or Member Name + Trojan_horse.jpg = XSS

Page title (example.com) = "/></a></><img src=1.gif onerror=alert(1);>

Trojan_horse.jpg = example.com/Trojan_horse.jpg

and result XSS = Google image text

Thus, the text may change with XSS.


3- I started searching this image in Google images : Trojan_horse.jpg


4- 2 days later I found the picture I uploaded to google. I found XSS . Stored XSS was created.


I reported it to Google.


Reward: 5,000 $


Google is a quality company and they are very interested. Thank you :)


VİDEO

YouTube Video




XSS in Google İmage Search,XSS on Google

XSS in Google İmage Search,XSS on Google

XSS in Google İmage Search,XSS on Google

XSS in Google İmage Search,XSS on Google