Search This Blog

Powered by Blogger.

Blog Archive

Labels

Akshay AKA 0z0n3 claims he found xss vulnerability in blogspot


Akshay AKA 0z0n3 claimed that he have discovered a Persistent XSS vulnerability in blogspot.com.  He managed to inject the xss vector in his own blogger dashboard. He is sure it is not template page(usually templates allow bloggers to inject scripts ). 

He used one of the following xss vector:
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

After injecting, he didn't get a pop-up but after some minutes he started getting pop-ups. He reported about the vulnerability to Google Security team. The vulnerability is not rewarded by Google.


"Thank you for your note. We took a look at the XSS issue you reported. Unfortunatley, the XSS issues is executing on the blogspot domain and not blogger.com. We come some of these scenarios here.

http://www.google.com/about/company/rewardprogram.html#javascript-blogger

Unfortunately, XSS issues on blogspot(as opposed to blogger.com) do not quailfy for the VRP.  If you manage to execute this javascript on someone else's blog or on the blogger.com domain, that would qualify for a reward." Google response mail.
Share it:

XSS Vulnerability