Re: google xssApr 12 2006 12:34PM Vladimir Levijev (vladimir levijev gmail com)
On 4/10/06, pagvac <unknown.pentester (at) gmail (dot) com [email concealed]> wrote:
> Very nice observation. Good reminder that sometimes you don't need to
> go fancy using different encodings and so on. Sometimes, changing a
> simple field value can make a difference (such as in this case). Many
> people have tried really hard to find XSS bugs in the main English
> version of the Google search page (there are several examples that
> went public), but this guy was much smarter and tried something
> different (changing the language parameter in this case).
Yesterday this worked for me and I disabled script for google.com .
Today I enabled the script for google and tested it again. I could not
reproduce it! Seems google has fixed this bug. Correct me if I'm
wrong. For now I have enabled script back for google.
> Very nice observation. Good reminder that sometimes you don't need to
> go fancy using different encodings and so on. Sometimes, changing a
> simple field value can make a difference (such as in this case). Many
> people have tried really hard to find XSS bugs in the main English
> version of the Google search page (there are several examples that
> went public), but this guy was much smarter and tried something
> different (changing the language parameter in this case).
Yesterday this worked for me and I disabled script for google.com .
Today I enabled the script for google and tested it again. I could not
reproduce it! Seems google has fixed this bug. Correct me if I'm
wrong. For now I have enabled script back for google.
Regards,
--
[vl@dimir]#
[ reply ]