Product Affected: https://cse.google.com
Vulnerability: XSS (Stored with user interaction)
Every bug that ever reported have some realized or unrealized inspirations. It can be a person, bounty, write-up or anything. In my case the inspiration was Google Vulnerability Research Grant that was rewarded to me prior to BountyCon 2019. I started looking for subdomain and landed in https://cse.google.com.
Google CSE (Custom Search Engine) gives you ability to create your own custom search engine for your website. Once you have created the custom search engine, you can view it with the following link. https://cse.google.com/cse?cx=<YOUR_ID>. It also allows you to add your own promotion URL to your custom search engine (https://cse.google.com/cse/search/promotions?cx=<YOUR_ID> ).
When the user search the promotion triggering keywords the ad URL will appear in top of search, just like Google. Now all you have to do now is add the most classic “javascript:alert(0)” to the promotion URL. Luckily it didn’t get filtered. So once you search the keyword and click on the promotion URL the alert will popup.
Still complicated to exploit,as user want to enter the promotion triggering query manually. So did a bit of parameter guessing and it worked . https://cse.google.com/cse?cx=<YOUR_ID>?q=triggeringkeyword will automatically search the payload for you. Now all you have to do is, send the URL to the victim and he have to click on the promotion. TAAATAAAhh! XSS firesss! Couldn’t make URI based XSS wite-up any longer.. 🙂
Thanks,
Wait..Here is the GIF you were searching for..
Ιt’s awesome to ppaу a quick visit this site and reaɗing the views
of all friends on the topic of hіѕ article, while I am also eager of gettikng knowledge.
LikeLike