Hacking the Giant: XSS on Google

ADIP
2 min readMar 27, 2024

--

Hello everyone, today I will share how I’ve found bug in Google.
I mainly do WebApp & Cloud vulnerability research (more focused on cloud) And I’m not that much active in bug bounties.
So let’s begin, I went to a deepmind.google to read just article, And I noticed unexpected behavior while browsing this website & i just intercept only few URL endpoints which was giving me interesting behavior & i was playing around with the functionality by probing them. And unfortunately google only accept few BUG classes in their WebApps
NB: I only use burp professional for my pen testing and refrain from automation.

And while testing the functionality I suddenly found an error (XSS) on an endpoint & and subsequently reports to the team.

you can see the PoC

And finally got the email today: It has been triaged.

I got a zero day on their cloud application a few days ago & submitted from outside to the team. Because when you submit to their bug bounty program you are hunting by their rules. So if you get a zero day, never submit it to a bug bounty program. According to Project Zero rules which means giving vendors a reasonable amount of time (usually 90 days) to fix the identified vulnerabilities before making them public. So I can’t make it public right now. I will give a detailed post on that too. stay in touch!

Tip: Always look for interesting behaviors rather than testing every endpoints.

--

--

ADIP
ADIP

Written by ADIP

Offensive Security Researcher | OSWE | eMAPT | GCPN

Responses (5)