How I found Reflective XSS in Yahoo Subdomain

Syntax Error
Sep 3, 2017 · 3 min read

When 2017 started,I had a bounty goal of finding a bug in Yahoo but I never actually got time to look into their program. One day I planned to go for it.So here is the writeup on how I found Reflective XSS on a yahoo subdomain. This is my first writeup so please ignore any mistakes that you find.

First step was to find subdomains on yahoo and the tool I used was Sublist3r(https://github.com/aboul3la/Sublist3r)

Image for post
Image for post

Once I had the list,I started checking the subdomains one by one.During that time my attention went to one of the subdomains: https://hkfood.yahoo.com

There was a search bar on the site to lookup for recipes and I initially tried couple of payloads to see what characters were filtered.For my luck, my inital payload itself worked and I could pop XSS

Vulnerable URL : http://hkfood.yahoo.com/search_result#keywords=“/>.<<img src=x onerror=alert(1)//”&gt;>&lt;&gt;&page=1

Image for post
Image for post

I reported the bug to Yahoo and the bug was Resolved the very next day.I rechecked the Vulnerable URL and was not able to reproduce the issue.

After 2 days,I was getting Bored and thought about retesting around the same XSS bug.This time I found that <script><img> tags were being filtered.

So I started trying different combination of payloads to see if I can break the URL. To get <script> tag working,I broke it in pieces like below and added that to the old vulnerable URL and Hurray!!!

Payload: <scr<script>ipt>alert(1)</scr</script>ipt>

Image for post
Image for post
Image for post
Image for post

Tips:

  • Always Retest your bugs after its marked Resolved.There is a good chance that you will find a bypass.
  • I have seen some folks using tools/scripts to get sublist3r output in hyperlinks format.You can simply copy sublist3r output, paste it in gmail and mail it to yourself to get the output URL’s as hyperlinks.
Image for post
Image for post

Thanks for taking time to read my blog. For any questions, you can get in touch with me at Syntaxerror

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store