Hi,
I want to share my another finding on Yahoo xss filter bypass which I have reported to them in Dec 2014.
While researching and working on yahoo bug bounties i’ve found some cool xss.
This is not the actual filter bypass I just found a way to enter javascript and run it.
This is tricky one
During research of dev.flurry.com I found that company name is vuln. to xss attack.But unfortunately there is a filter.
You can’t use <
,>
,;
,'
, you will get error like that New company name is invalid.
But I found a way to bypass this we can’t use <
,>
,'
in creating or editing. but in add company we can do that just go to https://dev.flurry.com/viewProfile.do and click on advanced profile where you can write your payload.
But there is also filter the xss will not trigger. so I tried too many things including eval()
but it’s not working after that i’m just checking is there any option where this payload will execute. I found!!
Go to Applications > Alerts
Then xss will trigger.
Thanks for reading.
Time-line: 19. Dec 2014 - Vulnerability reported. 20. Jan 2014 - Triaged the bug. 21. Jul 2014 - Vulnerability fixed :D (That was pretty fast!)