XML XSS in *.yandex.ru by Accident

Fuck Caption

I will tell this story as short as posibble cause i know everyone hate reading ? or i hate writing? who know? just read cause this represent my feeling.

Long time a go in betlehem~ , no no no this not a song. enough , time to serious.

I just surf in the internet bout em some SEO and i come with this site when i surf to deeper :( no im not, it just by an accident. okay let’s go

i saw request like this in my burp history and i goto repeater to testing something-something good :D xixixi.

we can see our request get reflected in response body with content-type as XML
First try, i try to insert payload like this <script>alert()</script> but we can see our payload can’t escape that TAG in XML.
Second try, i try to escape with this payload “><script>alert()</script> to escaping the tag. but . . . this happen

we success escaping the TAG but this payload is fail to popup in browser , we should make sure alert() function to popup in our browser to execute JAVASCRIPT , remember this is a XSS ( cross-site-scripting ) not an cascading style sheets (CSS) , XSS is injection to make a JS executed in Browser !

Because this is a XML i try to rewrite the XML with this payload

“><?xml version=”1.0" standalone=”no”?><!DOCTYPE svg PUBLIC “-//W3C//DTD SVG 1.1//EN” “http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version=”1.1" baseProfile=”full” xmlns=”http://www.w3.org/2000/svg"><polygon id=”triangle” points=”0,0 0,50 50,0" fill=”#009900" stroke=”#004400"/><script type=”text/javascript”>alert(document.location);</script></svg>

Because the payload have a break-line and some spaces , and then we should replace this payload to GET request , we should encode this payload with urlencode to make a valid request to server.

And boom …

Humbalahumba~

And the final touch we should make sure this payload is will show us a popup in browser. and i try to popup my cookies in browser and .. .. .. Boom

Boom syalalalala~~

No meme today :( im sorry

Proof-of-payment