XSS on Google Custom Search Engine

Product Affected: https://cse.google.com

Vulnerability: XSS (Stored with user interaction)

Every bug that ever reported have some realized or unrealized inspirations. It can be a person, bounty, write-up or anything. In my case the inspiration was Google Vulnerability Research Grant that was rewarded to me prior to BountyCon 2019. I started looking for subdomain and landed in https://cse.google.com.

Google CSE (Custom Search Engine) gives you ability to create your own custom search engine for your website. Once you have created the custom search engine, you can view it with the following link. https://cse.google.com/cse?cx=<YOUR_ID>. It also allows you to add your own promotion URL to your custom search engine (https://cse.google.com/cse/search/promotions?cx=<YOUR_ID> ).

Screenshot from 2019-07-11 19-07-38


When the user search the promotion triggering keywords the ad URL will appear in top of search, just like Google. Now all you have to do now is add the most classic “javascript:alert(0)” to the promotion URL. Luckily it didn’t get filtered. So once you search the keyword and click on the promotion URL the alert will popup.

Screenshot from 2019-07-11 19-24-25

Still complicated to exploit,as user want to enter the promotion triggering query manually. So did a bit of parameter guessing and it worked . https://cse.google.com/cse?cx=<YOUR_ID>?q=triggeringkeyword will automatically search the payload for you. Now all you have to do is, send the URL to the victim and he have to click on the promotion. TAAATAAAhh! XSS firesss! Couldn’t make URI based XSS wite-up any longer.. 🙂



Wait..Here is the GIF you were searching for..


One thought on “XSS on Google Custom Search Engine

Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: