Cenzic 232 Patent
Paid Advertising
web application security lab

Yahoo Mail XSS 0-Day

Hong has been coming up with some really interesting research, including something he found where you can use HTML entities inside event handlers to jump outside of certain types of encapsulation to use a cross site scripting attack. He even has a demo page set up here. Nasty, but how common is this? Well using event handlers (onmouseover, onload, onunload, etc…) are pretty common, but how many people actually use it, that’s the question. Well it turns out at least one company is - Yahoo.

Hong found that you can use this technique to exploit Yahoo Mail. It does require user interaction (as do many event handlers) but in this case, it’s using the next and previous buttons, which is pretty commonly used by the consumer. So while extremely obscure it could be pretty effective in many cases where users thought they were stuck in encapsulation. Very nice work Hong!

One Response to “Yahoo Mail XSS 0-Day”

  1. Wladimir Palant Says:

    The point is that not only the site needs to use inline event handlers, it also has to put some URL parameter there - and this is IMHO very rare. My respect to Hong for discovering two (!) sites that do.