XSS in arc.help.yahoo.com at captchaView parameter
“Please use this form to report the error you are experiencing.”
The Form once contained a Captcha Form to prevent Bots and Spam from Submitting the Form. The Form was submitted with a POST containing the XSS in the captchaView Parameter using a Double-URL encoded expression..
In the Application Response, the Parser made a Match On:
YACV.initParams[‘V5’].captchaView = “visual”;alert(1)//”;
|XSS, arc.help.yahoo.com, Captcha Form, CWE-79, CAPEC-86, Cross Site Scripting, Resolved|
The Form now doesn’t contain the Captcha Form or captchaView Parameter, Resolving the XSS.
Reported to Y!SEC on October 11, 2013 and noted as Resolved more recently. A Bounty of US$402 was paid by HackerOne titled as a Self-XSS yet perhaps Y!SEC didn’t look close enough at the Bug and see it was also expressed as a GET Request and could be XHR’d as provided in the PoC’s.
Burp Suite Pro – Must Have
DOM XSS Wiki – RTFM for your Brain
Safari Developer Tools – Web Inspector
FireBug – Element Inspection, CLI
SpiderMonkey – JS Testing
JSBeautify – JS Helper
Selenium – Recon, Session Replay
User Agents – IE 8-11, Chrome, Safari/WebKit, Mozilla
DOMinator – Useless for YUI3 debugging, use Safari