This bug was reported under Google Research Grant. I received $500 research grant from Google in November 2020 and decided Double Click Studio as target.
Type : Stored XSS
URL : https://www.google.com/doubleclick/studio/#creatives:
The XSS bug executes under a sandbox domain, hence it was not eligible for a reward.
Reproduction Steps :
- Create a HTMl file with the following vector :[pastacode lang=”markup” manual=”%3Cscript%20src%3D%22https%3A%2F%2Fs0.2mdn.net%2Fads%2Fstudio%2FEnabler.js%22%3E%3C%2Fscript%3E%0A%3Cscript%3E%0Aalert(document.domain)%3B%0A%3C%2Fscript%3E” message=”” highlight=”” provider=”manual”/]
- Now go to https://www.google.com/doubleclick/studio/#creative: and upload the enabler html file.
- Fill in other details and move to preview. Vector will execute.
Video POC :
Thanks for reading. New blog posts are coming soon.
(Visited 2,429 times, 1 visits today)