Reflected XSS in Yahoo!

Shahzada Al Shahriar Khan Thursday, August 31, 2017 Bug Bounty Cross-Site Scripting Ethical Hacking Hackerone Reflected XSS in Yahoo XSS In Yahoo

Hello Guys, This is Shahzada Al Shahriar Khan. Known as TheShahzada.

I am from Bangladesh. And I am Newbie in Bug Bounty. :P

Well, Now I will share how I found Reflected Cross-Site Scripting (XSS) in main & sub domain of Yahoo.

Vulnerable URL:

Payload I Use:



Yahoo Canada Subdomain

Video PoC:

Timeline: Aug 12th — I Submitted The Report. Aug 15th — Triaged The Report & Rewarded Me $300 Initial Bounty. Aug 16th — Resolved Aug 24th — $400 Bounty Rewarded.


Originally published at on August 31, 2017.