In this (very short) article, I would like to show an easter egg found months ago in Google Security vulnerability submission form.

In the javascript code below, you can see a packed function responsible for overthrow my hopes to report a valid vulnerability to Google. It hurts my feelings as well.

eval(function (p, a, c, k, e, r) {
    e = function (c) {
        return c.toString(a)
    if (!''.replace(/^/, String)) {
        while (c--) r[e(c)] = k[c] || e(c);
        k = [
            function (e) {
                return r[e]
        e = function () {
            return '\\w+'
        c = 1
    while (c--)
        if (k[c]) p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]);
    return p
}('5(4.3.6(/2\\([\'"]a[\'"]\\)/))2(\'c\');7 5(4.3.6(/2\\([0-9]/))2(b);7 5(4.3.6(/2\\(8.d/))2(\'q.0.0.1\');7 5(4.3.6(/2\\(8.f/))4.3=\'g://h.i/j/k-l-m-n-o/p.e\';', 27, 27, '||alert|href|location|if|match|else|document||xss|42|excesses|domain|aspx|cookie|http|allrecipes|com|Recipe|Beths|Spicy|Oatmeal|Raisin|Cookies|Detail|127'.split('|'), 0, {}));

Let’s try to unpack the above code with an online Javascript unpacker to better understand it.

if (location.href.match(/alert\(['"]xss['"]\)/)) alert('excesses');
else if (location.href.match(/alert\([0-9]/)) alert(42);
else if (location.href.match(/alert\(document.domain/)) alert('');
else if (location.href.match(/alert\(document.cookie/)) location.href = '';

As you may have noticed in the last unpacked code, there is a different (trolling) behaviour for each alert type.The “vulnerable” parameter of the website is “rl” so if you try to inject code that match with the regexp defined, you will be trolled.

Here there is a list of the possible payloads based on the unpacked code regular expressions. Please note that the parameters are NO longer vulnerable due to changes in the google website.

I want to thank the Google Security Team, for their hilarious sense of humour, and for making me both cry and laugh. You could find a compilation about the known easter eggs in “List Google hoaxes and easter eggs” at Wikipedia.


blog comments powered by Disqus