# Title: Google Fusion Tables XSS (HTML Injection) Vulnerability
# Release Date: 07/03/2013
# Author: Junaid Hussain - [ illSecure Research Group ]
# Contact: illSecResearchGroup@Gmail.com | Website: http://illSecure.com
# Vulnerable Application: https://www.google.com/fusiontables/DataSource?dsrcid=implicit
-------------------------------------------------------------------------------------------------------------------------------------------------------------
//##### Process:
1. go to https://www.google.com/fusiontables/DataSource?dsrcid=implicit
2. Click "Create empty table" and then click "Next"
3. Click the drop down menu on the Cards1 tab
4. Select "Change Card Layout" and then go to the Custom Tab
5. Remove the HTML code add the following code into the box:
<A HREF="http://EVIL_SITE_HERE.COM"><h1>Click here to continue</h1></A>
6. Click save & then Click the share button (top right) and make the link public
7. Click the drop down menu on the Cards1 tab and select the Publish Option
8. Send the Publish Link to victim.
-------------------------------------------------------------------------------------------------------------------------------------------------------------
//##### Proof Of Concept:
PoC: https://www.google.com/fusiontables/embedviz?viz=CARD&q=select+*+from+19VGTDJasS8NJlbbqnsiDFA_qH7Q95e2dTOKd5RU&tmplt=1&cpr=2
Video: http://www.youtube.com/watch?v=OMCJQ8Atkek&feature=youtu.be
-------------------------------------------------------------------------------------------------------------------------------------------------------------
Contact: illSecResearchGroup@gmail.com
- Junaid Hussain
http://www.illsecure.com
-------------------------------------------------------------------------------------------------------------------------------------------------------------
Original: http://www.illsecure.com/2013/03/exclusive-google-fusion-tables-xss-html.html
------------------------------------------------------
