Reflected XSS on

Hello guys, my name is Samuel I’m a bug hunter from Chile, it’s my first post about bug bounty programs. Today, I want to share with you a XSS which I found in main domain of Yahoo.

I have detected a Reflected XSS in this website. The vulnerable endpoint was the next:

vulnerable endpoint

Every time I put any text, it was reflected on the web site. After adding the payload, I saw"><%2fscript><script>alert(document.domain)<%2fscript>

The simple payload was working.

I managed to notice the presence of the vulnerability, now I share the simple payload that I used. Finally I share the video that I did about this vulnerability.

  • July 20 — I sent to report
  • July 20 —Triaged
  • July 23 — Resolved
  • August 8 — Bounty for me :D



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store