Issue metadata
Sign in to add a comment
|
Improper xss fix in www.google.co.in
Reported by
pardeepb...@gmail.com,
May 8 2017
|
||||||||||||||||||
Issue descriptionHi guys, There is a XSS vulnerability at google.co.in You guys already apply the fixed but it is improper. You guys encode these " > < charactos, but not ) : ( these charactors. when i entered the javascript:alert(document.cookie) in address_bar, it show me the pop, which contain cookie in the payload. I have attached the screenshot for the above issue. Its only happen in google.co.in. Thanks Pardeep Battu
,
May 8 2017
To be clear, if you typed literally the string javascript:alert(document.cookie) in the browser address bar and hit enter, then it is expected that this executes script; see https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Does-entering-JavaScript:-URLs-in-the-URL-bar-or-running-script-in-the-developer-tools-mean-there-s-an-XSS-vulnerability- If you typed that string in the search box in the Google page, that would indeed be a security bug (but not in Chrome, instead in Google.com; they have a bounty program elsewhere). Can you clarify exactly what you typed, and where? If you reproduced this by typing in the search box on the Google page itself, please provide the URL which demonstrates the issue.
,
May 9 2017
Please email security@google.com for the bug in google.co.in. This is not a vulnerability in Chrome browser.
,
Aug 16 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by pardeepb...@gmail.com
, May 8 20171.0 MB
1.0 MB View Download