Common Google XSS

1 minute read

When I was searching for a vulnerability in google DNS from Google Cloud, I came across this article by Julien Ahrens. The article is about an SSRF vulnerability in the Google website, so I started researching this site.

Simple research ⇾ XSS

The site has many apps, all of them are listed inside the robots.txt file:

User-Agent: *
Allow: /apps/main
Allow: /apps/browserinfo
Allow: /apps/checkmx
Allow: /apps/dig
Allow: /apps/har_analyzer
Allow: /apps/loganalyzer
Allow: /apps/loggershark
Allow: /apps/messageheader
Allow: /apps/recovery
Allow: /apps/useragent
Allow: /apps/other_tools
Allow: /apps/encode_decode
Allow: /apps/screen_recorder
Disallow: *

Most of the tools are accessible from the /apps/main menu, however, the recovery app (at /apps/recovery) isn’t.

From a simple search in google I see the recovery app has these sub-pages:


All of which receive many parameters from the query string in URL (parameters in {url}?parm1=1&param2=2...): visit_id, user, domain, email and some more.

In google search I also spotted a result that has Verify that you own title, with this link :

The server apparently just verifies that the email matches the domain, then presents a page with some thank you text and a continue button:


google continue page

And the link in the continue button, was … you guessed it: just taken from the continue URL parameter.

So I tried placing there continue=javascript:alert(document.domain), and… It works!

The site didn’t use any CSP, or any protection at all. So I also could send and receive data from external sites: (e.g. continue=javascript:fetch(%27{alert(data);%20}), which alerts the user public ip). I reported it to Google.


google reward table screenshot

google reward table screenshot.

Since this is an XSS, and its on a normal Google application, it falls into the 3133$ square in google rewards. Therefore, I got more than twice than I got to both parental control bypasses (googles secret browsers) combined.

I name this article “Common” because it’s really an openredirect->xss by the book. No thinking is required, just trying to change random parameters on URLs.

Did you find the Easter egg in this article?