This bug was reported under Google Research Grant. I received $500 research grant from Google in November 2020 and decided Double Click Studio as target.
Type : Stored XSS
URL : https://www.google.com/doubleclick/studio/#creatives:
The XSS bug executes under a sandbox domain, hence it was not eligible for a reward.
Reproduction Steps :
- Create a HTMl file with the following vector :
- Now go to https://www.google.com/doubleclick/studio/#creative: and upload the enabler html file.
- Fill in other details and move to preview. Vector will execute.
Video POC :
Thanks for reading. New blog posts are coming soon.