XSS, arc.help.yahoo.com, Captcha Form, CWE-79, CAPEC-86, Cross Site Scripting, Resolved

XSS in arc.help.yahoo.com at captchaView parameter

URL https://arc.help.yahoo.com/arc/arc.php

“Please use this form to report the error you are experiencing.”

The Form once contained a Captcha Form to prevent Bots and Spam from Submitting the Form. The Form was submitted with a POST containing the XSS in the captchaView Parameter using a Double-URL encoded expression..

POST
..
&captchaView=visual%2522%253balert%25281%2529%252f%252f

In the Application Response, the Parser made a Match On:

YACV.initParams[‘V5’].captchaView = “visual”;alert(1)//”;

Screen Grab

XSS, arc.help.yahoo.com, Captcha Form, CWE-79, CAPEC-86, Cross Site Scripting, Resolved, XSS.Cx Pic 2013
XSS, arc.help.yahoo.com, Captcha Form, CWE-79, CAPEC-86, Cross Site Scripting, Resolved

The Form now doesn’t contain the Captcha Form or captchaView Parameter, Resolving the XSS.

Reported to Y!SEC on October 11, 2013 and noted as Resolved more recently. A Bounty of US$402 was paid by HackerOne titled as a Self-XSS yet perhaps Y!SEC didn’t look close enough at the Bug and see it was also expressed as a GET Request and could be XHR’d as provided in the PoC’s.

Tools Used
Burp Suite Pro – Must Have
JS Prime – Static Javascript Analysis – jQuery + YUI!
DOM XSS Wiki – RTFM for your Brain
Safari Developer Tools – Web Inspector
FireBug – Element Inspection, CLI
SpiderMonkey – JS Testing
JSBeautify – JS Helper
Selenium –  Recon, Session Replay
User Agents – IE 8-11, Chrome, Safari/WebKit, Mozilla
DOMinator – Useless for YUI3 debugging, use Safari