900$ XSS in yahoo ( Recon Wins )

Th3G3nt3lman
Sep 24, 2017 · 4 min read

Hi Guys,

For those who expects special bypass or xss related stuff this is not about the xss i found which was easy hit, this is about the recon i did and the help i got from Knoxss to report this vulnerability to yahoo.

Generally due to my work i don't have time to hunt for bugs, but when i do i tend to focus only on yahoo as its a sea of assets and they have a great team, along with the fact that i have the proper knowledge in how their sub-domains are organized, so during my usual recon for yahoo i came across this target : http://bf1-adxdb-001.data.bf1.yahoo.com and the response was “The requested URL was not found on this server” as per the below, which is something most yahoo BB hunters see usually.

running quick dirsearch on the subject target i found about.php file http://bf1-adxdb-001.data.bf1.yahoo.com/about.php and the response was surprising , there is a private instance for webpagetest (https://www.webpagetest.org/) running on that server as per the below :

OK, thats interesting .. Starting digging in the application to find bugs and i couldn’t, even though i found also this default nginx installation endpoint that expose most of the php endpoints in the server :
http://bf1-adxdb-001.data.bf1.yahoo.com/nginx.conf

so i ran dirsearch on the server again with another wordlist looking for PHP endpoints and found the vulnerable one which is :
http://bf1-adxdb-001.data.bf1.yahoo.com/testdb.php and the response was :

Fatal error: Call to undefined function mysqli_connect() in /home/y/share/htdocs/testdb.php on line 8 [/testdb.php/]

When you reach that point you realize that you must get something out of it, i had a lot of endpoints and i was testing them all but luckily i had my knoxss plugin running for *.yahoo.com and for those who don't know knoxss its a an xss discovery service created by the xss god Brute and you can read about it here https://knoxss.me/?page_id=2 and i recommend using it due to the success i had using it.

so when i was testing all endpoints knoxss triggered an xss in the subject domain and this was the final payload :

Lessons learned here :

1- don't stop when you see the response forbidden/not found on the target you are testing, run dirsearch or any tool you prefer to find endpoints.

2- Recon wins : Recon in yahoo is not an easy process, planning for a separated blog to describe it, it needs focus and patience, i monitor yahoo assets in shodan.io on daily basis, also whenever i find an interesting sub-domain using aquatone/sublister i try to find other sub-domains under it, and keep going down level by level, i am the crazy guy who runs full ports scan on thousands of ip’s , why ?

because that helped me reporting unique stuff, most of my bugs to yahoo were infra related due to a strange open ports , found an Access control servers, appliances, storage consoles, ..atc along with interesting web application that was never touched by other researches, as an example i found stuff in the 5th & 6th level of subdomains in yahoo like the below :

target.*.*.*.yahoo.com & target.*.*.*.*.yahoo.com

I do know other researchers are smart enough to report bugs in the web apps thats available publicly without doing that kind of recon i do, and they are very successful in that, but you can say i choose the hard way and i am loving it.

finally This is how it looks like when you are searching for subdomains in Yahoo, ,, or lets say sub-sub-sub-sub-subdomains

Best Regards :)

InfoSec Write-ups

Th3G3nt3lman

Written by

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Th3G3nt3lman

Written by

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store