XSS in sandbox domains

Google uses a range of sandbox domains to safely host various types of user-generated content. Many of these sandboxes are specifically meant to isolate user-uploaded HTML, JavaScript, or Flash applets and make sure that they can't access any user data.

For this reason, we recommend using alert(document.domain) instead of alert(1) as your default XSS payload. In particular, if you see script execution in any subdomains of the domains in this list:

  • ad.doubleclick.net
  • googleusercontent.com
  • googlecode.com
  • codespot.com
  • feeds.feedburner.com
  • googleadservices.com
  • googledrive.com
  • googlegroups.com
  • {your-blog-name}.blogspot.com
  • {your-app-name}.appspot.com
  • firebasestorage.googleapis.com
  • storage.googleapis.com

...your report will probably not qualify, unless you can come up with an attack scenario where the injected code could gain access to sensitive user data.