Stored XSS in Google Ads Android Application— $3133.70
Introduction
This article is a write up on how I found a Stored XSS in Google Ads Android Application where I was rewarded with $3133.70 I was waiting for the fix and after discussing with Google Security Team I am disclosing my finding.
Currently I am ranked in Top 200 at Google Hacker’s Ranking ,
What is Stored XSS
Stored XSS attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent XSS.
Vulnerability exploitation
When you have a large scope to hack it is always difficult to choose the target, but this time I wanted to hack on Google Ads as I have seen many reports regarding XSS on Google Ads and as always I wanted to get XSS my all time favorite.
I started listing bugs found on Google Ads and I was amazed to look at some awesome XSS. So I started hunting it was 3 days on same target did everything with bypasses but no luck didn’t found any XSS.