Xss filter bypass in Yahoo dev.flurry.com

Hi,
I want to share my another finding on Yahoo xss filter bypass which I have reported to them in Dec 2014.
While researching and working on yahoo bug bounties i’ve found some cool xss.

This is not the actual filter bypass I just found a way to enter javascript and run it.

This is tricky one
During research of dev.flurry.com I found that company name is vuln. to xss attack.But unfortunately there is a filter.

You can’t use <,>,;,', you will get error like that New company name is invalid.

But I found a way to bypass this we can’t use <,>,' in creating or editing. but in add company we can do that just go to https://dev.flurry.com/viewProfile.do and click on advanced profile where you can write your payload.

But there is also filter the xss will not trigger. so I tried too many things including eval() but it’s not working after that i’m just checking is there any option where this payload will execute. I found!!

Go to Applications > Alerts

Then xss will trigger.

Step_4

Thanks for reading.

 

shubhamgupta

 

2 thoughts on “Xss filter bypass in Yahoo dev.flurry.com

Leave a Reply

Your email address will not be published. Required fields are marked *