Archive for September, 2013


Vulnerability Type(s): Reflective XSS and Persistent XSS.


Tested on : Firefox 23.0.1

Attack demonstration :

1>Visit  (Make sure that you are logged in with your outlook account)
2>Click “My Places”
3>Click “New list”
4>In the Title field enter the script:  “><img src=a onerror=”alert(document.cookie);”>
5>In the Notes field enter the same script: “><img src=a onerror=”alert(document.cookie);”>
6>Click “Save
7>You will see a popup showing cookie info .
8>Click the “Add a Pushpin” icon below.
9> Click anywhere on the map.
10>Now select the option [“><img src=a onerror=”alert(document.cookie);”>] from the dropdown box.
11>Enter Title as:  “><img src=a onerror=”alert(document.cookie);”>
12>Enter Note as:  “><img src=a onerror=”alert(document.cookie);”>
13>Click “Save”.
14>Hover the mouse pointer over to the  yellow dot with a number on the map, you will notice the XSS popup.
15>Now, hover the pointer over the name: “><img src=a onerror=”alert(document.cookie);”>  in “My place editor”. Here too you will see the effect of XSS .

Demo (Snap) with “><img src=a onerror=”alert(1);”> payload:

ms_bin_xss - Copy


Update: Apparently it seems that MS has later fixed the vulnerability.

Today I finally got the shipment from yahoo’s bug bounty for responsible disclosure.

I have uploaded a few snaps of the gifts I received.




Vulnerability type: Unhandled Exception/Error in session handling leading to java error code disclosure.

Dated: Sept 07’2013

App: Yahoo Calendar service

Acknowledged & thanked by for finding the flaw.

Received E-gift card and promo code from yahoo team.