How I found Reflective XSS in Yahoo Subdomain

When 2017 started,I had a bounty goal of finding a bug in Yahoo but I never actually got time to look into their program. One day I planned to go for it.So here is the writeup on how I found Reflective XSS on a yahoo subdomain. This is my first writeup so please ignore any mistakes that you find.

First step was to find subdomains on yahoo and the tool I used was Sublist3r(https://github.com/aboul3la/Sublist3r)

Once I had the list,I started checking the subdomains one by one.During that time my attention went to one of the subdomains: https://hkfood.yahoo.com

There was a search bar on the site to lookup for recipes and I initially tried couple of payloads to see what characters were filtered.For my luck, my inital payload itself worked and I could pop XSS

Vulnerable URL : http://hkfood.yahoo.com/search_result#keywords=“/>.<<img src=x onerror=alert(1)//”&gt;>&lt;&gt;&page=1

I reported the bug to Yahoo and the bug was Resolved the very next day.I rechecked the Vulnerable URL and was not able to reproduce the issue.

After 2 days,I was getting Bored and thought about retesting around the same XSS bug.This time I found that <script><img> tags were being filtered.

So I started trying different combination of payloads to see if I can break the URL. To get <script> tag working,I broke it in pieces like below and added that to the old vulnerable URL and Hurray!!!

Payload: <scr<script>ipt>alert(1)</scr</script>ipt>

Tips:

  • Always Retest your bugs after its marked Resolved.There is a good chance that you will find a bypass.
  • I have seen some folks using tools/scripts to get sublist3r output in hyperlinks format.You can simply copy sublist3r output, paste it in gmail and mail it to yourself to get the output URL’s as hyperlinks.

Thanks for taking time to read my blog. For any questions, you can get in touch with me at Syntaxerror