Sunday, October 23, 2016

Stored XSS in Google Cloud Console Monitoring (StackDriver)

I have found a Stored XSS in StackDriver which serves as Google's Cloud Console Monitoring. It serves as an app monitoring and enables users to monitor the activities of their apps like an analytics. The Stored XSS executed because of the app name. I have provided an XSS payload in the app name and when I was about to create a "rule", StackDriver will let you choose an app where the rule will be implemented. I was about to select the XSS app but then the XSS executed.

This is the 5th time I was rewarded by Google Security Team

That's all for now. Thanks.


  1. proof of concepts , pleeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeease.

  2. Replies
    1. no, since it can affect other users you invite

    2. How much was the payout for this? Did it qualify for $3,133.7 ? :)