InfoSecBulletin Cybersecurity for mankind
The writing is first published to medium where Henry N. Caga wrote about how he find out Google’s vulnerability and achieved hall of fame recognition.
Henry N. Caga wrote I stumbled upon a discovery that sent shockwaves through my system: an XSS (Cross-Site Scripting) vulnerability lurking within one of Google’s sub-domains. This vulnerability not only revealed a potential entry point for malicious actors but also shed light on the critical importance of robust cybersecurity practices, even for tech giants like Google. This discovery led to my advancement in the Google’s Hall of Fame and a reward. Read on to find out how much Google rewards for this discovery.
Bangladesh bank published CBS guideline Version 2.0
Fortinet report
Attackers exploiting vulnerabilities 50% faster, just 4.76 days
TechCrunch report
Indian gov.t sites compromised to plant online betting ads
Damage Costs Predicted To Exceed $265 Billion By 2031
Ransomware expected to attack every 2 seconds by 2031
ALERT CISA WARNS
Black Basta ransomware breached over 500 orgs worldwide
Cyber Attack On Data Center Cooling Systems results disruption
Chrome Zero-Day Alert — Update Your Browser to Patch
Dell Discloses Data Breach: 49 million customers allegedly affected
BIG VULNERABILITIES IN NEXT-GEN BIG-IP
UK confirms Ministry of Defence payroll data exposed in data breach
Discovery:
As a cybersecurity enthusiast, I often engage in what some might call “ethical hacking” — the search for vulnerabilities within systems with the intent to improve security. While exploring various sub-domains of popular websites, I came across an unassuming sub-domain and URL linked to Google.
This URL caught my eye:
https://aihub.cloud.google.com/url?q=https://cidadesmineradoras.com.br
At first glance, I had a gut feeling that this URL might be vulnerable.
Bug Hunting Tip #1: Always trust your instincts. If a URL seems vulnerable to you, it probably is!
I attempted to input various payloads into the ‘q’ parameter to see if I could uncover anything interesting or find a vulnerability, but unfortunately, I was unsuccessful. After trying different payloads without success, I decided to focus on my favorite XSS payload. I began tweaking and refining it.
Payload to Use: “><SvG/onload=alert(document.domain) id=hncaga>
To make this work correctly, I need to ‘URL encode’ special characters such as spaces, parentheses, etc.
The complete URL will be: https://aihub.cloud.google.com/url?q=https://cidadesmineradoras.com.br%22%3E%3CSvG/onload=alert(document.domain)%20id=hncaga%3E
Of course, this also didn’t work because this payload had already been included in my previous tests on this target URL.
What I did next was ‘URL encode’ all the characters of my payload to see if it could bypass filtering. Click here to read the full report.
