Product Affected: https://cse.google.com
Vulnerability: XSS (Stored with user interaction)
Every bug that ever reported have some realized or unrealized inspirations. It can be a person, bounty, write-up or anything. In my case the inspiration was Google Vulnerability Research Grant that was rewarded to me prior to BountyCon 2019. I started looking for subdomain and landed in https://cse.google.com.
Google CSE (Custom Search Engine) gives you ability to create your own custom search engine for your website. Once you have created the custom search engine, you can view it with the following link. https://cse.google.com/cse?cx=<YOUR_ID>. It also allows you to add your own promotion URL to your custom search engine (https://cse.google.com/cse/search/promotions?cx=<YOUR_ID> ).
Still complicated to exploit,as user want to enter the promotion triggering query manually. So did a bit of parameter guessing and it worked . https://cse.google.com/cse?cx=<YOUR_ID>?q=triggeringkeyword will automatically search the payload for you. Now all you have to do is, send the URL to the victim and he have to click on the promotion. TAAATAAAhh! XSS firesss! Couldn’t make URI based XSS wite-up any longer.. 🙂
Wait..Here is the GIF you were searching for..