XSS vulnerability in Google image search


Seven days ago I reported to Google Security a XSS vulnerability I discovered in Google image search.
It's not very hard to find , but it's tricky to exploit!

I was looking for an image to set as my profile picture on HackerOne , I found the image I was looking for , opened it in a new tab and something in the url attracted me.

The url was " http://www.google.com.eg/imgres?imgurl=https://lh3.googleusercontent.com/-jb45vwjUS6Q/Um0zjoyU8oI/AAAAAAAAACw/qKwGgi6q07s/w426-h425/Skipper-LIKE-A-BOSS-XD-fans-of-pom-29858033-795-634.png&imgrefurl=https://plus.google.com/103620070950422848649&h=425&w=426&tbnid=ForZveNKPzwSQM:&docid=OEafHRc2DBa9eM&itg=1&ei=9ID8VZufMYqwUfSBhKgL&tbm=isch "

the value of the parameter "imgurl" is set to the href attribute of an <a> tag with the text "View image".

So , I tried changing that parameter to "javascript:alert(1)" and boom , the href attribute changed to "javascript:alert(1)" , How could it be that easy ? well it's not that easy.

When you click on "View image" , the href attribute value changes to " http://www.google.com.eg/url?sa=i&source=imgres&cd=&ved=0CAYQjBwwAGoVChMIjsP-48OByAIVxNMUCh3pSQ98&url=javascript:alert(1)&psig=AFQjCNGcADmmDJe6-BWjcDAJ1pV84euDZw&ust=1442698210302078 " .

I looked into the code and found that google had an onmousedown event that changes the href attribute to google redirection page. Sad , huh?
I tried a lot of things to bypass this , but still no luck!

I finally used my keyboard , pressed the [tab] key till I get the "View Image" button focused , press enter and the XSS was triggered.

Timeline:
12/9/2015 Vulnerability discovered and reported
15/9/2015 Google confirmed the issue
16/9/2015 Fix and rewad

Comments

  1. bobDecember 2, 2015 at 12:24 PM

    nice one

    ReplyDelete
  2. UnknownJanuary 19, 2016 at 9:38 PM

    This comment has been removed by the author.

    ReplyDelete
  3. UnknownAugust 17, 2017 at 5:45 AM

    This comment has been removed by the author.

    ReplyDelete
  4. vyshnav nkAugust 17, 2017 at 8:16 AM

    hiii are u in facebook
    ur id please

    ReplyDelete
  5. UnknownApril 15, 2018 at 12:08 PM

    Very Nice Vuln, I'm finding for a vuln in Google, but I'm seeing that it will take me much luck.

    So, good luck for the future, and go on ;)

    ReplyDelete
  6. rayanJune 14, 2018 at 2:18 AM

    kiduve

    ReplyDelete
  7. LoopyliciousApril 10, 2020 at 12:27 PM

    Hello, I think I am having this problem with google.com/save collection images. I get what seems like a redirect with 3 components and displays a blank page. I can not see any of the images I've stored in Google image collections and I think it may have started when I updated my chrome. It has synced across all of my devices as well. The url starts with https://www.google.com/imgres?imgurl=.
    Would you be able to help me?
    Thanks

    ReplyDelete

Post a Comment

Popular posts from this blog

Handlebars template injection and RCE in a Shopify app

Image
TL;DR We found a zero-day within a JavaScript template library called handlebars and used it to get Remote Code Execution in the Shopify Return Magic app. The Story: In October 2018, Shopify organized the HackerOne event "H1-514" to which some specific researchers were invited and I was one of them. Some of the Shopify apps that were in scope included an application called "Return Magic" that would automate the whole return process when a customer wants to return a product that they already purchased through a Shopify store. Looking at the application, I found that it has a feature called Email WorkFlow where shop owners can customize the email message sent to users once they return a product. Users could use variables in their template such as {{order.number}} , {{email}} ..etc. I decided to test this feature for Server Side Template injection and entered {{this}} {{self}} then sent a test email to myself and the email had [object Object] within
Read more

SQL Injection and A silly WAF

Image
Hi Folks, Today I'll be writing about some interesting SQL injection vulnerabilities I recently found. This is a private program so I won't be mentioning who the vendor is. #1: WAF? ok! At a lovely hacking night I started testing for a private bug bounty program, after about 30 minutes of throwing random single and double quotes inside all the parameters, one of the endpoints returned an error saying: {"error":"An unexpected error has occured"} So I looked at the request and set the value of the parameter to `23' and '1'='1` and as expected the endpoint returned valid results which means it's vulnerable to SQL injection! That's it, a lovely basic Boolean-Based SQL injection let's write the report and get a nice bounty! But... THE WAF! While further exploiting this vulnerability to extract data from the database as a proof of concept, the endpoint was returning {"error":" undergoing correct
Read more

SQL Injection: Utilizing XML Functions in Oracle and PostgreSQL to bypass WAFs

Image
TL;DR. In this blog post we will be discussing how built-in XML functions in Oracle and PostgreSQL database management systems can be used to bypass web application firewalls (WAFs). I will be presenting two real-life examples from private bug bounty programs where traditional methods for bypassing WAFs were not effective. Introduction It's really frustrating when you find a valid SQL injection vulnerability, but there isn't much to do because of a WAF blocking most of your payloads. Many WAF rules can be bypassed using character case switching, comments, splitting the payload into multiple parameters, double URL encoding and many other methods that depend on how the target application and the WAF handle your requests.  However, In the cases we are discussing in this blog, I was not able to bypass the WAF using common WAF bypass methods.  Case 1: SQL Injection in an Oracle database - WAF bypass using REGEXP_LIKE() and DBMS_XMLGEN.GETXMLTYPE() *This is a private bug bounty progr
Read more