Thursday, November 22, 2012

Google Stored DOM XSS Vulnerability (Malicious's url)

Are domain’s links always safe to click on?

During Nov 1, 2012 I noticed something strange in Google’s producer behavior. In the beginning it was only an html injection. Then, I succeed to exploit it. However, the XSS was in a sandbox’s domain: A few days later, I noticed that the simulations of Tables (Iphone, Ipad, Android, etc.) are connected to the sandbox domain through  Using the Grand Access the attacker could send a malicious link that seems to be hosted in Furthermore, the attacker could inject any DOM script he wanted.


Special thank to Google's security team for the great support.

No comments:

Post a Comment