steambag Posted August 31, 2016 Share Posted August 31, 2016 Vulnerability Google's login page accepts a vulnerable GET parameter, namely 'continue'. As far as I can determine, this parameter undergoes a basic check Must point to *.google.com/* The application fails to verify the type of Google service that has been specified. This means that is is possible to seamlessly insert any Google service at the end of the login process. A couple Google service's come to mind that might be interesting: Open Redirects (pick one) Arbitrary File Upload (Google Drive) It is possible to specify both an open redirect This is the hidden content, please Sign In or Sign Up [any_domain_here] And also an arbitrary file, provided public link sharing is enabled after uploading it to Google Drive This is the hidden content, please Sign In or Sign Up [file_id_here]&export=download Link to comment Share on other sites More sharing options...
Recommended Posts