A long time ago, I put an XSS payload in the HTTP Server response header on all of my self-hosted domains. Years of messing around with XSS has taught me that any public plaintext data will eventually be rendered as HTML by someone.
After some time, the Server header XSS popped up on loads of different websites. Most of them were the kind of SEO-spam-adjacent sites that have thousands of subdomains, each for a different domain name. And on each page, they display basic info about that domain, such as the Server header. The Server header was rendered as HTML, of course.
A different, much more interesting website was an internal Google tool called GodCluster[1]. Someone at Google entered one of my domains into it. It outputted information about that domain, including the Server header. The Server header was rendered as HTML, of course.
When a security engineer at Google was triaging my report of this XSS, they entered my domain name into who.is. It displayed records from the WHOIS registry, alongside some other data, such as the Server header. The Server header was rendered as HTML, of course.
| Timeline | |
|---|---|
| 2022-02-22 | Vulnerability reported |
| 2022-02-22 | Priority changed to P1 |
| 2022-02-22 | Filed a bug |
| 2022-03-08 | Reward issued[2] |
