Bug Type: Stored XSS Vulnerability
Browser: Internet Explorer 7 or less
Vulnerable Module: Markup Helper : https://www.google.com/webmasters/markup-helper/
Status :Wont Fix .
Detailed WriteUp: Hey all 🙂 Back in December 2014 I reported a Cross Site Scripting vulnerability to Google Security . Google webmaster has a module of Structured Data Markup Helper which takes a website URL as a input and render it after blacklisting all the javascript calls or codes anywhere in the code . Tried some classical tricks to get some javascript code whitelisted but none worked. Rendered external url shows up in a iframe .
The actual web application code is being hosted on .
After giving up with attribute based javascripts events, i checked if style attribute is sanitized properly , fortunately it was not . I was able to inject javascript expressions in style attribute. So , i put the below vector in footer of my website code :
The javascript expressions is no more supported in modern browsers but till Internet Explorer 7 . After rendering nothing was ripped off from the vector as expected.
Now lets open the iframe src url in Internet Explorer 7 . The stored XSS payload gets fired.