Friday, September 18, 2015

XSS vulnerability in Google image search

Seven days ago I reported to Google Security a XSS vulnerability I discovered in Google image search.
It's not very hard to find , but it's tricky to exploit!

I was looking for an image to set as my profile picture on HackerOne , I found the image I was looking for , opened it in a new tab and something in the url attracted me.

The url was " "

the value of the parameter "imgurl" is set to the href attribute of an <a> tag with the text "View image".

So , I tried changing that parameter to "javascript:alert(1)" and boom , the href attribute changed to "javascript:alert(1)" , How could it be that easy ? well it's not that easy.

When you click on "View image" , the href attribute value changes to " " .

I looked into the code and found that google had an onmousedown event that changes the href attribute to google redirection page. Sad , huh?
I tried a lot of things to bypass this , but still no luck!

I finally used my keyboard , pressed the [tab] key till I get the "View Image" button focused , press enter and the XSS was triggered.

12/9/2015 Vulnerability discovered and reported
15/9/2015 Google confirmed the issue
16/9/2015 Fix and rewad