Xss filter bypass in Yahoo dev.flurry.com

Hi,I want to share my another finding on Yahoo xss filter bypass which I have reported to them in Dec 2014.While researching and working on yahoo bug bounties i’ve found some cool xss.

This is not the actual filter bypass I just found a way to enter javascript and run it.

This is tricky oneDuring research of dev.flurry.com I found that company name is vuln. to xss attack.But unfortunately there is a filter.

You can’t use <,>,;,', you will get error like that New company name is invalid.

But I found a way to bypass this we can’t use <,>,' in creating or editing. but in add company we can do that just go to https://dev.flurry.com/viewProfile.do and click on advanced profile where you can write your payload.

But there is also filter the xss will not trigger. so I tried too many things including eval() but it’s not working after that i’m just checking is there any option where this payload will execute. I found!!

Go to Applications > Alerts

Then xss will trigger.

Thanks for reading.

19. Dec 2014 - Vulnerability reported.
20. Jan 2014 - Triaged the bug.
21. Jul 2014 - Vulnerability fixed :D (That was pretty fast!)