This vulnerability is claimed to be discovered by two people- Vansh Sharma & Vaibhuv Sharma. Previously, critical SQL Injection vulnerability was found in Google labs website by Shadman Tanjim of Bangladesh Cyber Army last June. It is expected that Google will quickly fix all these bugs to secure themselves better. 8)
POC :
1. Go to
[You must be registered and logged in to see this link.] 2. Edit HTML -> Remove All Codes
3. Type this script :
<img src="<img src=search"/onerror=alert("XSS_Kadal")//"> then click
DEBUG CODE4. Then first it will show you "Sample must have <head> element" click
OK and wait for the window to load if nothing happen then try the same thing again or simply you can click on RUN CODE
5. You will get a popup which is XSS. :o
Note :
- Spoiler:
The page itself is fairly straightforward. It uses JavaScript to parse the query string and extract key/value pairs; it then document.write to add the data provided by the user directly to the page.
If you look at the HTML on the page right now, you can see that user input is sanitized using JavaScript’s escape function: in the past, that was not the case. That lack of sanitization is what allowed the vulnerability to occur.
source from hackforum.net 8)