This will be my first write up with regards to my security research. The following post will walk through a stored Cross Site Scripting (XSS) bug that I found that was affecting all of Yahoo!'s different Fantasy Sport Leagues.
Yahoo! hosts their own Fantasy Sports platform for a variety of sports, a list of which can be found here. Each sport is hosted on it's own sub domain which includes a variety of features, some common to all sport sub domains, like message boards, and others being sport specific. The message board functionality acts like a typical online forum allowing users who have joined the league to create posts, share images, etc. It was in this Message Board functionality that I found a stored XSS vulnerability that could be exploited against any user that viewed the malicious message.
After joining any league/group for any Yahoo! Fantasy Sports League, proceed to the Message Board of the league which will look like this:
After clicking on the 'Post New Topic' button you will be given this screen:
Then Switch to the Rich Text Editor:
Once here, I added a random plain text title (since adding any HTML would cause a validation error) with the following payload in the body:
<img src="x:? title=" onerror=alert(document.domain)//">
This would then render as:
<img src="x:? title=" title="" onerror="alert(document.domain)//">, notice how the src and title attributes have been parsed? By not including a closing double quote after x:, the double quote from my title attribute closed the src tag and Yahoo! added an empty title (title=""). The XSS would fire any time anyone viewed the post, including myself after submitting it, across all browsers.
- 11/23/2016 - Vulnerability Found and Reported via Yahoo's BBP on HackerOne
- 11/25/2016 - Vulnerability accepted and triaged by Yahoo team
- 12/03/2016 - Vulnerability Patched by Yahoo Security
- 12/05/2016 - Report marked 'Resolved' on HackerOne
- 12/07/2016 - Yahoo awarded $800 bounty.
Thanks to @yaworsk for help with editing of this post.