Sharing is Caring :)
When we share, we open doors to a new beginning…../

Well, This is Shahzada Al Shahriar Khan. And I am from Bangladesh.
Now I am going to share how I found Stored Cross-Site Scripting (XSS) in Yahoo.

Steps to Reproduce:

Go to

Comment this payload: "><img src=x onerror=confirm(1);>

Now what? Voila! We get the famous confirm(1) to popup! :D

I am trying another payload that I can write something in popup box, and found this payload: <img src=x onerror=prompt(1337)>
That moment I feel like a boss!

Here is the video PoC:

Video PoC


31/03/2018 — Initial Report.

01/04/2018 — HackerOne staff asked for ‘Needs more info.’

01/04/2018 — More Info Submitted.

04/04/2018 — Triaged and a $300 initial bounty rewarded.

06/04/2018 — Bug Resolved.

11/04/2018 — $1700 bounty rewarded. ( Total $2000 )

Thanks for reading…./


Originally published at on April 27, 2018.

~InfoSec Enthusiast, Bug Bounty Hunter, CTF Player…/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store