Google adwords 3133.7$ Stored XSS
welcome my brothers and friends.
I would love to thank you for your support and wish success to all.
There was a dream called Google and its HOF without thinking about reward or anything else.
This vulnerability was the easiest vulnerability and more vulnerability has been rewarded so far.
In 17/02/2018 I posted a post on Facebook.
Because I always choose my target and do not go to another without ending it completely.
My work as a lawyer also takes all my time and I only have 6 hours daily to do my hobby.
On 08/03/2018 while browsing my gmail I clicked on even more from Google . You will find it in the up right side.
After browsing the entire page I chose my target which is Google adwords.
I logged in and started the test and moved from page to another and in fact I
was playing didn't expect to find anything.
I was added many payloads hoping that the magic alert would appear.
I went to this page:-
https://adwords.google.com/aw/conversions
I added a new conversation and in the conversation name i put this payload.
“><svg/onload=alert(document.domain)>”@x.y
After added the payload it pupped up many times and I thought it might be a
self XSS so i clicked on prevent this message to continue and complete it.
After completion i have clicked on Save Conversation.
And the payload didn't pupped up any more because i chooses to prevent the XSS alert.
I copied the entire URL and paste it into the browser in a new tab and this time I got shocked.
The payload was stored on the page and works on all the latest versions of browsers.
And worked on Firefox in windows.
I made a cup of coffee and lit a cigarette and wrote the report and I made a
video to explain the vulnerability and report it to Google and waited for the
reply hoping not to be duplicated.
I received a message from Google accepting the vulnerability
and nice catch ( i loved it ).
A very easy vulnerability and I got A good bounty from Google Vulnerability Reward Program and HOF.
Finally my name added to Google HOF.
Time line:-
08/03/2018 I have found the vulnerability and Email sent to Google
08/03/2018 Got automatically replay confirms they’ve received my message
08/03/2018 I received a message from Google accepting the vulnerability
08/03/2018 I received a message from Google nice catch ( i loved it )
20/03/2018 closed the report and changed the status to Resolved
20/03/2018 Rewarded $ 3133.7 for Stored XSS in google adwords
I would love to thank you all for your patience in reading my write up and for
your continued support.
specially :-
@ak1t4 z3n @Brute and @IfrahIman_
I'm very happy to unlock this achievement and my goal for this year is perfect so far.
sorry for my bad English but just i wanted to share this with you as always i doing.
The POC video hope you will like it:-