Stored XSS in Google Doubleclick Studio [Google Research Grant]

This bug was reported under Google Research Grant. I received $500 research grant from Google in November 2020 and decided Double Click Studio as target.

Type : Stored XSS

URL : https://www.google.com/doubleclick/studio/#creatives:

The XSS bug executes under a sandbox domain, hence it was not eligible for a reward.

Reproduction Steps : 

  1. Create a HTMl file with the following vector :[pastacode lang=”markup” manual=”%3Cscript%20src%3D%22https%3A%2F%2Fs0.2mdn.net%2Fads%2Fstudio%2FEnabler.js%22%3E%3C%2Fscript%3E%0A%3Cscript%3E%0Aalert(document.domain)%3B%0A%3C%2Fscript%3E” message=”” highlight=”” provider=”manual”/]
  2. Now go to https://www.google.com/doubleclick/studio/#creative: and upload the enabler html file.
  3. Fill in other details and move to preview. Vector will execute.

Video POC : 

 

Thanks for reading. New blog posts are coming soon.

(Visited 2,429 times, 1 visits today)

Leave A Comment

Your email address will not be published. Required fields are marked *