Reported to Google Security Team over this past weekend and resolved very quickly.
The Google Vulnerability Reward Program allows Researchers to submit qualifying bugs to the GST and be paid a reward, see URL http://www.google.com/about/corporate/company/halloffame.html and http://www.google.com/about/corporate/company/rewardprogram.html for details.
Q) How far should I go to demonstrate a vulnerability?
A) Please, only ever target your own account or a test account. Never attempt to access anyone else's data. Do not engage in any activity that bombards Google services with large numbers of requests or large volumes of data.
A) Please, only ever target your own account or a test account. Never attempt to access anyone else's data. Do not engage in any activity that bombards Google services with large numbers of requests or large volumes of data.
Q) I've found a vulnerability — how do I report it?
A) Contact details are listed here.
A) Contact details are listed here.
Summary
| Severity: | High |
| Confidence: | Certain |
| Host: | http://www.google.com |
| Path: | /recaptcha/help |
Issue detail
The value of the c request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 246f4'><script>alert(1)<
No comments:
Post a Comment