Skip to main content

Posts

Showing posts from May, 2014

Store XSS on Shopping Express Checkout [Reward]

Google Shopping Expressis a same-day shopping service ("shop local stores online and get items delivered on the same day") fromGooglethat was launched on a free trial basis inSan FranciscoandSilicon Valleyin spring 2013 and publicly in September that year.
This store XSS was showing at "Shopping Express Checkout" and by adding payload on the parameter "City" in wallet.google.com I could bypass restrictions and trigger this XSS back on Google Checkout.
Image of Proof:
This XSS was trigger just before paying pretty handy don't you think?
Well I report this to Google Security Team and they reply very quick. Fixing this bug within a week:



I'm very happy to be back on Google Hall of Fame and I like to thanks Google Security Team for the reward.
I create a video reproducing this XSS:


Bypass Flash Same Origin Policy with Add-On

The same-origin policy is an important concept in the web application security model. The policy permits scripts running on pages originating from the same site.

I found that users using FlashFirebug  are vulnerable to same-origin policy bypass. This Firefox add-ons create a files on the Flash Player Trust directory disallowing same-origin policy.


For this example I will use Facebook Video preview box to trigger this Flash XSS. (Fortunately Faceboook use attachment.fbsbx.com )


By using a Flash XSS plus having FlashFirebug install on the Victim Firefox I can trigger this XSS and bypass Same Origin Policy



I report this to Facebook and this was the response:




And me as a good bounty hunter I report to Adobe:




After doing a bit of looking I found that o-minds.com have a report bug page and here is their response:



 I reply to them and after that I didn't receive a response.


My conclusion:
External Addons can bypass Flash "Same Origin Policy" by adding a files to flash tr…