diff --git a/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md b/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md index e8df744db1..24d1ed0518 100644 --- a/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md +++ b/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md @@ -92,7 +92,7 @@ In order to give access to the OAuth token you need to click on **`Services +` a * **Drive**: To access drive data * **Google Sheets API**: So it works with the trigger -To change yourself the **needed scope**s you can go to project settings and **enable S`how "appsscript.json" manifest file in editor`.** +To change yourself the **needed scopes** you can go to project settings and enable: **`Show "appsscript.json" manifest file in editor`.** {% code overflow="wrap" %} ```javascript @@ -175,9 +175,6 @@ Note that you can check the **runs of the App Scripts in the Executions tab** if In order to **trigger** the **App Script** the victim needs to connect with **Editor Access**. -As summary, if the creator and invited user are **from the same organization** the **OAuth** **token** will **belong** to the **user** accessing the file.\ -If they are from **different organizations**, the **token** will belong to the **creator of the trigger** always with **only the OAuth permissions given** when the trigger was created. - {% hint style="success" %} The **token** used to execute the **App Script** will be the one of the **creator of the trigger**, even if the file is opened as Editor by other users. {% endhint %} @@ -244,8 +241,6 @@ Just create an App Script, go to Triggers, click on Add Trigger, and select as e This will create a security alert email and a push message to your mobile alerting about this. {% endhint %} - - ### Shared Document Unverified Prompt Bypass Moreover, if someone **shared** with you a document with **editor access**, you can generate **App Scripts inside the document** and the **OWNER (creator) of the document will be the owner of the App Script**.