Stored-XSS-on-groups-google-com

Hiiiii.....
My name is Alessandro Rumampuk, I'm from indonesian.

1. Description!!!

- What is the vulnerability?

* Stored XSS vulnerability!

- OS/Browser: Windows 7 Professional 64-bit, Firefox Portable.

- Recorder: Bandicam Full Version Cracked.

2. Steps Reproduce:

- Created file's [document.domain2.xht] and [document.domain3.xhtml].

* Payload [document.domain2.xht]: <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(document.domain)</a:script>

* Payload [document.domain3.xhtml]: <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(document.domain)</a:script>

- Open Google Groups [groups.google.com] Site.

- Login your Google Account.

- Create your groups.

- Make one post on group.

* Enter the post title: Stored XSS vulnerability [groups.google.com].

* Enter the posting field: Stored XSS Testing.

* Attach the file's [document.domain2.xht] and [document.domain3.xhtml].

- Create the post.

- Open the file's [document.domain2.xht] and [document.domain3.xhtml].

- And boom, Vuln Stored XSS [groups.google.com].



3. Source Code:



4. Bug Status:

Bug found: 22-02-2020 (22:17)
Bug report: 22-02-2020 (23:38)
Bug replied (Google Bot): 22-02-2020 (22:39)
Bug clarification: 24-02-2020 (19:31)

Clarification: Bugs Status (Out Of Scope) sandbox domain: https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain

Status: New - Intended Behavior (Won't fix)

Report closed: 24-02-2020 (19:31)

Youtube: R,ando
Facebook: R,ando