Cenzic 232 Patent
Paid Advertising
web application security lab

Writeup on Yahoo XSS

Rarely Greys posted a rather long article about how you can exploit users on Yahoo through cross site scripting vulnerabilities. The attack we all know and love. It’s a pretty interesting philosophical take on the issue actually. It does get technical near the end, including a PERL script to generate the attack on the fly.

In the end the vulnerability comes down to this exploit (click to see the XSS vulnerability). It uses an onerror event handler in an image, and since it can’t use quotes it uses String.fromCharCode to evade that. Well done. Not really news, except the writeup is pretty interesting as it goes into a lot more detail about how the attack works than I typically do.

6 Responses to “Writeup on Yahoo XSS”

  1. RSnake Says:

    This was also posted by TX here: http://sla.ckers.org/forum/read.php?3,44,12494#msg-12494 (not sure who found it first)

  2. hackathology Says:

    Very interesting though.

  3. Bipin "3~" Upadhyay Says:

    …and it’s Slashdotted.

    What’s interesting about being Slashdotted is that you get to see the current public opinion (really??? ;) ).
    I found this thread interesting.
    … and this one reminded that there’s still a lot to be done for awareness; and that’s where such flaws are welcome.
    p.s. Did I just say “awareness-through-FUD”???

  4. kaes Says:

    did they fix it already? i tried clicking the link in both opera and firefox and got no alertbox or anything.

    i just checked the source, i suppose they are escaping the quotes now.

  5. .mario Says:

    fixed

  6. MustLive Says:

    This hole fixed, but there is another XSS hole at search.yahoo.com. Which I told about at my site (http://websecurity.com.ua/1372/). It is need to check holes (and whole fixed scripts) after fixing. Especially in case of XSS where are a lot of bypass techniques.

    So Yahoo need to fix new hole in their search engine. And they need another Jeremiah Grossman to help them with security :-) Yahoo feel free to contact me.