This is interesting, not because Google is vulnerable again, but because it is a pretty common mistake. Default 404 under IE doesn’t show the page, but if the server creates it’s own custom 404 page, that can be problimatic if the developers don’t know how to strip out XSS.

This entry was posted on Thursday, January 1st, 1970 at 12:00 am and is filed under XSS, Webappsec. You can leave a response as well.