$3,133.70 XSS in golang's net/html library – My first Google bug bounty

21 Comments | script By · 17/06/2023



$3,133.70 XSS in golang's net/html library – My first Google bug bounty

$3,133.70 XSS in golang's net/html library - My first Google bug bounty

📧 Subscribe to BBRE Premium: https://bbre.dev/premium
✉️ Sign up for the mailing list: https://bbre.dev/nl
📣 Follow me on twitter: https://bbre.dev/tw

This video is a writeup of a vulnerability I found in Google’s golang/net/html library that could lead to an XSS. It was my first submission to Google and I got a bounty of $3,133.70 for it.

Link to the exploit and hypothetical vulnerable app: https://gist.github.com/gregxsunday/4b08ea3f4b3961ac9cefcc3673b7c3c5
Commit with the fix: https://github.com/golang/net/commit/39940adcaaa73e661124cb80fb8dd57ea929dbaf

🖥 Get $100 in credits for Digital Ocean: https://bbre.dev/do

Timestamps:

00:00 Intro
00:28 Preparations before reviewing the code
00:57 Where do I start security code review?
02:00 The bug – XSS in golang net/html library due to invalid parsing of the comments

Comments are closed.

53GB.COM GPTSTORE CPU Yougpt Gptsio Gpt-store-Nav