Filter Bypass to Reflected XSS on https://finance.yahoo.com (mobile version)

Today I‘ll share with you a interesting XSS in Yahoo. My favorite target is Yahoo, because they have a big scope, so let’s start.

In the hunting process, I detected some websites that are responsive in a mobile way. Not always the vulnerabilities that are detected in a website are reflected in the mobile version. I tried to find any bug on the website https://finance.yahoo.com, but I didn’t find anything :(, so, I decided to find bugs in the mobile version of this website.

Mobile Version Finance Yahoo

Until I found a very interesting endpoint

https://finance.yahoo.com/quote/xxxxxxxxyyyyzzzzzz

In this endpoint, everything I wrote using the URL was reflected in the website, although through this, I could have done a Content Spoffing, I didn’t do it since this has no impact for Yahoo and it is also out scope, so my other option was to test an XSS, which I did with the next payload

https://finance.yahoo.com/quote/"><svg onload=alert(1)>

For my luck in the source code I realized that the characters “>< were processed, then I could execute an XSS, however I did not understand at first, why XSS did not work, being that the attack vector was correct. Well, then I understood, that I had to close the </script> tag so that the XSS would work. and then…

Not running :(

Well, I started to study the behavior of this XSS, and I realized that the payload was processed in capital letters, and well, I noticed that a payload in capital letters does not work. I just needed the word “alert” to be processed in lowercase. Then I came up with an HTML character encoding.

Lowercase Coding

alert

Coding

&#97;&#108;&#101;&#114;&#116;

New Payload XSS

https://finance.yahoo.com/quote/"></script><svg onload=%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B(document.domain)>

: O: O: O and happiness came into my life :D.

Thanks

Twitter: @saamux