900$ XSS in yahoo ( Recon Wins )

Hi Guys,

For those who expects special bypass or xss related stuff this is not about the xss i found which was easy hit, this is about the recon i did and the help i got from Knoxss to report this vulnerability to yahoo.

Generally due to my work i don't have time to hunt for bugs, but when i do i tend to focus only on yahoo as its a sea of assets and they have a great team, along with the fact that i have the proper knowledge in how their sub-domains are organized, so during my usual recon for yahoo i came across this target : http://bf1-adxdb-001.data.bf1.yahoo.com and the response was “The requested URL was not found on this server” as per the below, which is something most yahoo BB hunters see usually.

running quick dirsearch on the subject target i found about.php file http://bf1-adxdb-001.data.bf1.yahoo.com/about.php and the response was surprising , there is a private instance for webpagetest (https://www.webpagetest.org/) running on that server as per the below :

OK, thats interesting .. Starting digging in the application to find bugs and i couldn’t, even though i found also this default nginx installation endpoint that expose most of the php endpoints in the server :

so i ran dirsearch on the server again with another wordlist looking for PHP endpoints and found the vulnerable one which is :
 http://bf1-adxdb-001.data.bf1.yahoo.com/testdb.php and the response was :

Fatal error: Call to undefined function mysqli_connect() in /home/y/share/htdocs/testdb.php on line 8 [/testdb.php/]

When you reach that point you realize that you must get something out of it, i had a lot of endpoints and i was testing them all but luckily i had my knoxss plugin running for *.yahoo.com and for those who don't know knoxss its a an xss discovery service created by the xss god Brute and you can read about it here https://knoxss.me/?page_id=2 and i recommend using it due to the success i had using it.

so when i was testing all endpoints knoxss triggered an xss in the subject domain and this was the final payload :

Lessons learned here :

1- don't stop when you see the response forbidden/not found on the target you are testing, run dirsearch or any tool you prefer to find endpoints.

2- Recon wins : Recon in yahoo is not an easy process, planning for a separated blog to describe it, it needs focus and patience, i monitor yahoo assets in shodan.io on daily basis, also whenever i find an interesting sub-domain using aquatone/sublister i try to find other sub-domains under it, and keep going down level by level, i am the crazy guy who runs full ports scan on thousands of ip’s , why ?

because that helped me reporting unique stuff, most of my bugs to yahoo were infra related due to a strange open ports , found an Access control servers, appliances, storage consoles, ..atc along with interesting web application that was never touched by other researches, as an example i found stuff in the 5th & 6th level of subdomains in yahoo like the below :

target.*.*.*.yahoo.com & target.*.*.*.*.yahoo.com

I do know other researchers are smart enough to report bugs in the web apps thats available publicly without doing that kind of recon i do, and they are very successful in that, but you can say i choose the hard way and i am loving it.

finally This is how it looks like when you are searching for subdomains in Yahoo, ,, or lets say sub-sub-sub-sub-subdomains

Best Regards :)