XSS on yandex.ru
Yesterday, a friend of mine (LMaster) found passive XSS on Yandex. A specially crafted address given to the victim allows you to steal cookies. The add GET parameter is not filtered. To trigger the script does not require any user action.
Request:
PS He himself does not have access to Habr. The main theme .
UPD: Vulnerability closed. This has already been reported in the comments. Please do not create hundreds of answers: “Doesn't work!”
Request:
_http://www.yandex.ru/?add=3188">&edit=1
PS He himself does not have access to Habr. The main theme .
UPD: Vulnerability closed. This has already been reported in the comments. Please do not create hundreds of answers: “Doesn't work!”
')
Source: https://habr.com/ru/post/64774/
All Articles