Stored XSS in Yahoo!
Sharing is Caring :)
When we share, we open doors to a new beginning...../
Well, This is Shahzada Al Shahriar Khan. And I am from Bangladesh.
Now I am going to share how I found Stored Cross-Site Scripting (XSS) in Yahoo.
Steps to Reproduce:
Go to https://www.yahoo.com/news
Comment this payload: "><img src=x onerror=confirm(1);>
Now what? Voila! We get the famous confirm(1) to popup! :D
I am trying another payload that I can write something in popup box, and found this payload: <img src=x onerror=prompt(1337)>
That moment I feel like a boss!
Here is the video PoC:
Timeline:
31/03/2018 - Initial Report.
01/04/2018 - HackerOne staff asked for 'Needs more info.'
01/04/2018 - More Info Submitted.
04/04/2018 - Triaged and a $300 initial bounty rewarded.
06/04/2018 - Bug Resolved.
11/04/2018 - $1700 bounty rewarded.
Thanks for reading..../
- My previous write-up: https://medium.com/@TheShahzada/reflected-xss-in-yahoo-6e2b6b177448
./TheShahada
✅ @theshahzada, let me be the first to welcome you to Steemit! Congratulations on making your first post!
I gave you a $.05 vote!
Would you be so kind as to follow me back in return?
You should post this on reddit.com/r/xss
. Nice find.
Good suggestion, I will post this on reddit soon.
Thank you :)
I used to try my luck at bugbounties but it is a race against time and very competitive. Not sure if you familiar with xssposed which is now https://www.openbugbounty.org , definately worth checking out.
will try
Congratulations @theshahzada! You received a personal award!
You can view your badges on your Steem Board and compare to others on the Steem Ranking
Do not miss the last post from @steemitboard:
Vote for @Steemitboard as a witness to get one more award and increased upvotes!
Congratulations @theshahzada! You received a personal award!
You can view your badges on your Steem Board and compare to others on the Steem Ranking
Do not miss the last post from @steemitboard:
Vote for @Steemitboard as a witness to get one more award and increased upvotes!