Google Ads Self-XSS & Html Injection $5000

The bug that I found was Self-XSS and HTML Injection

The vulnerable domain is: https://ads.google.com/

The vulnerable URL & Parameter:
https://ads*google*com/aw/reporting/dashboard/view?ocid=314749368&dashboardId=600308&euid=322853027&__u=3449454923&uscid=314749368&__c=6595453432&authuser=0
Replace the [*] sign with [.]

First I tried to explore 4 websites with a domain *.google.com for 3 days, and look for weaknesses of these websites
on the first day I tried to do things that could be considered “boring”
Because of what? because in vain :(

and finally on the first day I tried to decide to stop searching and exploring.
on the second day I also did the same thing as the first day and the results also did not get anything :(

until finally I thought “can I get like the first?”
and in the end I gave up on the second day
and on the third day I started searching again on Google’s website, which has the domain https://ads.google.com/"
and try to find his weaknesses
the first weakness that i found was “HTML Injection”

I just fad trying to enter the html code on the website and I was surprised it worked

I am still curious and try XSS attacks
by using payload: <img src=x onerror=alert(document.domain)>
and it didn’t work

I also have not given up, and continue to try to use another payload and that also did not work

and finally … I succeeded in carrying out an XSS attack by adding the <test> tag and successfully bypassing the XSS
and I succeeded in bypassing XSS

after succeeding, I immediately report to the Google Security Team.
and they say “Nice Catch!”

after 3 weeks, Google give me a reward $5,000

and the bug has been fixed by the Google Security Team

Sorry if my english is not good :(

Timeline

Reporting Date - January 23, 2020 03:22PM
Nice Catch - January 23, 2020 05:15PM
Reward - Feb 13, 2020 08:20PM
Fixed - 7 Mar, 2020 03:49AM
Browser/OS: Firefox & Google Chrome / Windows 10 Home

POC Steps
. Go to https://ads.google.com/
. Login using your Account
. Click > Reports > Dashboard
. Add dashboard (+) > Rename, add a Title and description and Save
. Add Note
. Enter the Payload and Save

The payload is:
<u><strong><font color=”blue” size=”8px”>H<strong><font color=”red” size=”8px”>E<strong><font color=”gold” size=”8px”>L<strong><font color=”blue” size=”8px”>L<strong><font color=”green” size=”8px”>O <strong><font color=”blue” size=”8px”>G <strong><font color=”red” size=”8px”>O <strong><font color=”gold” size=”8px”>O <strong><font color=”blue” size=”8px”>G <strong><font color=”green” size=”8px”>L <strong><font color=”red” size=”8px”>E
<img src=”
https://www.sciencealert.com/images/2019-12/processed/CatsHaveFacialExpressionsButHardToRead_600.jpg" width=”600" height=”300">
<test><img src=x onerror=alert(document.domain)>

Video: https://www.youtube.com/watch?v=QP05znoHz-A

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store