Youtube Editor Stored | DOM Based and Self Executed XSS Vulnerability

Post Pic Not Available

Bug Type: Stored | DOM Based and Self Executed XSS Vulnerability
Browser: Chrome, Mozilla , IE etc
Vulnerable Module: Youtube Editor : https://www.youtube.com/editor
Status :Fixed .

Detailed WriteUp: Hey all :) I sent this XSS vulnerability report to Google in October last year. The vulnerability existed in the Youtube Video Editor Module. When you go to the images tab on this editor page.There is a feature to upload the images to the editor .
The injection point was the file name . I categorized it a DOM based XSS because source and sink resides in DOM .Stored XSS category because the vector was actually persistent. The file name contents from a attribute value of span element when mouseovered is transferred to Tool-tip box element which is dynamically created using javascript . The transfer of information(file name) between these DOM elements was not sanitized. So what i did , I uploaded a image with vector as file name . "><img src=x onerror=alert(document.cookie); >.jpg Now when i mouseover the newly uploaded image file , the vector is sent to the dynamically created div element where it was not sanitized resulting in vector fired .

Full details Video POC of the vulnerability:


For this vulnerability i got a nice reward from them. Thanks Google .
I would like to thanks Minded Security Team and Stefano Di Paola for building the Dominator Tool . It helped me alot to analyze the Javascript flow .
Thanks !
Jasminder Pal Singh

Share It!

Comments

comments powered by Disqus