How i found an Stored XSS on Google Books

Sokol Çavdarbasha
2 min readSep 18, 2023

--

Hello Hackers, I’m Sokol Çavdarbasha, I’m 20 years old from Kosovo and welcome to my first story about a vulnerability that i found on Google Books.

Great. Now that we’re done with that, we can get to the real thing this article’s about.

One day I decided to hunt for vulnerabilities on Google.I was looking to find XSS (Cross Site Scripting) . So i start to digg into google.com and i was focused on Google Books.

So i thought why no to try here for XSS, and i type in search bar the following payload “><img src=x onerror=alert(1)>, and i got an book that another Security Researcher uploaded it to https://play.google.com

so i press the “Preview” button and the XSS gets triggered

XSS Trigger

the XSS triggered successfully, so i quickly report it to Google VRP Team at https://bughunters.google.com, and they responded quickly with a …

Google Response

i was so happy that i got an “Nice catch” response from Google VRP Team with Priority P1 and Severity S1, and got rewarded $XXXX as this is my first valid bug that i reported to Google.

PoC:

I hope that you enjoyed reading this article and sorry if there are things that are not clear.

Thanks for Reading : )

Sincerely,

Sokol Çavdarbasha.

You Can Follow me on :

Instagram: https://www.instagram.com/sokolcav

Linkedin: https://www.linkedin.com/in/sokol-%C3%A7avdarbasha-845426232/

Twitter: https://twitter.com/sokolicav

--

--

Sokol Çavdarbasha
Sokol Çavdarbasha

Written by Sokol Çavdarbasha

Cyber Security Engineer at Beriflapp and Security Researcher at HackerOne