Xss filter bypass in Yahoo dev.flurry.com

Hi,
I want to share my another finding on Yahoo xss filter bypass which I have reported to them in Dec 2014.
While researching and working on yahoo bug bounties i’ve found some cool xss.

This is not the actual filter bypass I just found a way to enter javascript and run it.

This is tricky one
During research of dev.flurry.com I found that company name is vuln. to xss attack.But unfortunately there is a filter.

You can’t use <,>,;,', you will get error like that New company name is invalid.

But I found a way to bypass this we can’t use <,>,' in creating or editing. but in add company we can do that just go to https://dev.flurry.com/viewProfile.do and click on advanced profile where you can write your payload.

But there is also filter the xss will not trigger. so I tried too many things including eval() but it’s not working after that i’m just checking is there any option where this payload will execute. I found!!

Go to Applications > Alerts

Then xss will trigger.

Step_4

Thanks for reading.

Time-line: 
19. Dec 2014 - Vulnerability reported. 
20. Jan 2014 - Triaged the bug. 
21. Jul 2014 - Vulnerability fixed :D (That was pretty fast!)
 

shubhamgupta

 

One thought on “Xss filter bypass in Yahoo dev.flurry.com

Leave a Reply

Your email address will not be published. Required fields are marked *