Google Bug Bounty $3133 Writeup XSS Vulnerability

Google Bug Bounty $3133 Writeup XSS Vulnerability
(Last Updated On: April 1, 2020)

$3133.7 Google Bug Bounty Writeup XSS Vulnerability.

The vulnerability was found by Pethuraj, he is a security researcher from INDIA, and shared the write-up with us.

Google has acknowledge him and rewarded with $3133.7.

We hope the following write-up will help to new Bug hunters and researchers.

“This is one of my interesting writeup for the vulnerability I found on one of Google’s sub domains.

I started to test Google for vulnerabilities in the hope of earning some bounties and to register my name in their Google Bughunter Hall of Fame Security Researchers list!

Writeup:

I Used tools like Knock Subdomain Scan, Sublist3r and other recon tools to find the sub domains of Google.

google-subdomains finder

Using some recon tools, I gathered many subdomains and interestingly I visited https://tez.google.com/ (now Google Pay). I found some parameters on the URL containing referrer id’s passing some values.

I used the Google Dork to filter out the specific search operators containing in the sub domain.

site:tez.google.com inurl:referrer_id=

I got some of the referrer_id’s in the search result like below.

google search tez

I tried all the possible ways to exploit the publicly visible referrer_id and my bad luck, I couldn’t find any!

Interestingly, I found the referrer_id’s getting reflected in the part of the web page.

tez site

To my luck, I tried popping an XSS and it is XSS!

xss on tez site

I reported this vulnerability to Google and as per Google Vulnerability Reward Program (VRP).

Soon after I report, Google triaged my report and asked me to wait for the bounty amount and Hall of Fame.

acknowledgement

And after waiting for some days, I received a mail from Google Security Team that I’m rewarded with $3133.7 bounty as this is just a DOM based XSS.

google mail acknowledgement

As per Google’s VDP, my vulnerability report falls on the below mentioned category and so $3133.7 bounty.

bounty table

Along with bounty, I’ve also been added to Google Hall of Fame! Ranked 253 among 800 other Security Researchers.

That’s it in this writeup!

To find all my Acknowledgements / Hall of Fames / Bug Bounty journey, Visit https://www.pethuraj.in

Stay tuned for more writeups.

Thank you”

HackersOnlineClub team is congratulate to Pethu. Best of luck for future bounties.

administrator

Leave a Reply

Your email address will not be published. Required fields are marked *

fb logo
recover dogecoin from a scam
recover ethereum from a scammer
hire a hacker to hack iphone
hire a hacker to hack snapchat
hire a hacker to hack a windows computer
error: Content is protected !!