Friday, 11 April 2014

How I Got My First Bounty.. " A Tale of GMAIL Stored XSS "



Hey Guys,


This bug i reported a longback and fixed now. Lets jump into the story.


In GMAIL settings general tab, there is an option for creating an automatic mail responder, in case if we go on a vacation and if we dont want to be disturbed. While going through gmail, like all the others, i also ignored that feature and tried here and there.

At the same time one of my goood friend @iampr3m was also testing Gmail and he was trying hard to find something in the same settings page. However that guy begin his testing from the top and testing in the Signature feature. So i started testing the settings page from bottom and i got lucky to have the vacation responder in the bottom of the page.

So, while testing, I observed that the vacation message is going in between a div tag. So as usual, i used a simple payload with img tag (  <img src=a onerror=alert(1)>  ) to test my luck. As soon as the payload entered with < and >, the server invalidated the input and stripped of the special chars. So i tried the same payload in URL encoded form (  %3cimg%20src%3da%20onerror%3dalert(1)%3e  ) and this time i got lucky. The tag was successfully embedded. 

However the payload was not executing properly due to poor rendering of img tag in the response. It took too much time to execute. So i changed my payload to more simple and my default xss payload with style tag (in URL encoded form).

%3Cstyle%20onload%3D%22alert(1)%22%3E%3C%2Fstyle%3E

This time the payload executed successfully and got the popup. The next thing i tried was, to check where the payload got execute. For that i used alert(document.location). and to my surprise the payload got execute within the main domain itself.

The exact payload i used to get an xss was   
asdsssasd%22%26gt%3B%3Cstyle%20onload%3D%22alert(document.location)%22%3E%3C%2Fstyle%3E


I reported the bug to GOOGLE Security team in October, 2013 and got patched within 10 days... This is the story of  "how i got my first bounty" ( with a little luck of-course )... 

THANK YOU...



2 comments: