Stored XSS in Google Doubleclick Studio [Google Research Grant]

This bug was reported under Google Research Grant. I received $500 research grant from Google in November 2020 and decided Double Click Studio as target.

Type : Stored XSS

URL : https://www.google.com/doubleclick/studio/#creatives:

The XSS bug executes under a sandbox domain, hence it was not eligible for a reward.

Reproduction Steps : 

  1. Create a HTMl file with the following vector :
    <script src="https://s0.2mdn.net/ads/studio/Enabler.js"></script>
    <script>
    alert(document.domain);
    </script>
  2. Now go to https://www.google.com/doubleclick/studio/#creative: and upload the enabler html file.
  3. Fill in other details and move to preview. Vector will execute.

Video POC : 

 

Thanks for reading. New blog posts are coming soon.

(Visited 842 times, 155 visits today)

Leave A Comment

Your email address will not be published. Required fields are marked *