Filter Bypass to Reflected XSS on https://finance.yahoo.com (mobile version)

Samuel
Samuel
Sep 24, 2017 · 3 min read

Today I‘ll share with you a interesting XSS in Yahoo. My favorite target is Yahoo, because they have a big scope, so let’s start.

In the hunting process, I detected some websites that are responsive in a mobile way. Not always the vulnerabilities that are detected in a website are reflected in the mobile version. I tried to find any bug on the website https://finance.yahoo.com, but I didn’t find anything :(, so, I decided to find bugs in the mobile version of this website.

Image for post
Image for post
Mobile Version Finance Yahoo

Until I found a very interesting endpoint

https://finance.yahoo.com/quote/xxxxxxxxyyyyzzzzzz

Image for post
Image for post

In this endpoint, everything I wrote using the URL was reflected in the website, although through this, I could have done a Content Spoffing, I didn’t do it since this has no impact for Yahoo and it is also out scope, so my other option was to test an XSS, which I did with the next payload

https://finance.yahoo.com/quote/"><svg onload=alert(1)>

Image for post
Image for post

For my luck in the source code I realized that the characters “>< were processed, then I could execute an XSS, however I did not understand at first, why XSS did not work, being that the attack vector was correct. Well, then I understood, that I had to close the </script> tag so that the XSS would work. and then…

Image for post
Image for post

Not running :(

Well, I started to study the behavior of this XSS, and I realized that the payload was processed in capital letters, and well, I noticed that a payload in capital letters does not work. I just needed the word “alert” to be processed in lowercase. Then I came up with an HTML character encoding.

Lowercase Coding

alert

Coding

&#97;&#108;&#101;&#114;&#116;

New Payload XSS

https://finance.yahoo.com/quote/"></script><svg onload=%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B(document.domain)>

Image for post
Image for post
Image for post
Image for post

: O: O: O and happiness came into my life :D.

Thanks

Twitter: @saamux

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store