The first XSS STORED find in YANDEX Bug Bounty Program

Aidil Arief
4 min readMay 28, 2022

--

Assalamualaikum Bug Hunter & Hi Everyone.

This time I want to share a finding of the XSS STORED Vulnerability on Yandex.

Previously I have tried to search for vulnerabilities in the Yandex Bug Bounty Program, and as a result I did not find any vulnerabilities in Yandex. I was frustrated, and until finally I decided to search again with more details, and finally I found my first XSS STORED on Yandex.

Let’s take your time to see this article :)

In this discovery I found 2 endpoints or 2 subdomains that were XSS STORED affected.

Alright, for the first one, I found XSS STORED in the https://files.messenger.yandex.net/ subdomain

When I try to open https://yandex.com/chat/ , then there is a Chat feature that contains the FILE ATTACHMENT feature. This feature makes me curious, because here all FILES are escaped with their respective Content-Type files. However, in the File Attachment feature there is only the Download FILE feature, and of course it will be difficult for me to see the FILE so that the FILE runs on the client side.

The first thing I prepared was the SVG file. Here’s the contents of the SVG payload:

<?xml version=”1.0" standalone=”no”?><!DOCTYPE svg PUBLIC “-//W3C//DTD SVG 1.1//EN” “http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload=”alert(document.domain)” xmlns=”http://www.w3.org/2000/svg"> <polygon id=”triangle” points=”0,0 0,50 50,0" fill=”#009900" stroke=”#004400"/> </svg>

File Download : https://testing13370x.000webhostapp.com/svg.html

Next I created a Chat Group, then sent an attachment containing the SVG file above.

See, the SVG file escaped successfully in the Chat attachment.

However, my steps stopped for a moment when I saw that there was only the DOWNLOAD File feature here, then when I clicked “download file”, which file will be downloaded automatically :’(

I immediately turned on the Burp Suite when making a request to download the file so that I could get the URL of the file’s LOCATION. Here are the results:

See, here is the URL for the DOWNLOAD FILE LOCATION:

https://files.messenger.yandex.com/file_shortterm/file/3536a5ca-51a0–418e-b4ba-c85f28e41f2d?attach=true

I get the URL of the FILE Location, but why when I access it the FILE is automatically downloaded?

Let’s see the URL with details, and there is a Simple Technique for the solution to the problem why the FILE is automatically downloaded :)

https://files.messenger.yandex.com/file_shortterm/file/3536a5ca-51a0-418e-b4ba-c85f28e41f2d?attach=true

attach=true

that parameter is the main reason why my FILE auto-download :’(

Then what is the solution?

Let’s see what happens if we make a URL request without attach=true parameter :)

Open that FILE Location URL again but without attach=true

https://files.messenger.yandex.com/file_shortterm/file/3536a5ca-51a0-418e-b4ba-c85f28e41f2d

Then you will be redirected to:

https://files.messenger.yandex.net/file/3536a5ca-51a0-418e-b4ba-c85f28e41f2d?sign=ST_1638786251_54d61507422e96946ea01178e7e23b19_2d0519a6115530960f0fe1e46809a598b516a44a23f1e2f14d5f7314

And see, the SVG FILE is triggered there so XSS is also triggered :)

I smell XSS STORED here :)

Then I tried to report it to Yandex. And I’m more curious, why just bypass it. And it crossed my mind to look for the Download FILE feature on another Yandex subdomain, and I found the second XSS STORED on Yandex.

Follow me :)

The second finding is at https://disk.yandex.com/notes/

In that subdomain there is a FILE ATTACHMENT feature too :D

The first thing I tried was to upload the SVG file earlier, and lo and behold, the SVG FILE was escaped.

The next thing I did was look for the FILE LOCATION, here it’s quite easy to get the file location just by copying the file location.

Here’s the FILE LOCATION:

https://s313myt.storage.yandex.net/rdisk/b5d121e5c0ed783e5a3d93394bd9a645d3fabf3b1bcad0b12b55508272dc3866/61ae1f16/XgR-PzzRjV9rEblGC_CTo8TxuE3h1SLN-dVO4fIBvSGuTD1V1p9nCR3G01QwSxwrzNzC3HwVL7Ak5mynbK9Dtw==?uid=1499224356&filename=ke35uucbtdmo55zdoxifa&disposition=attachment&hash=&limit=0&content_type=image%2Fsvg%2Bxml&owner_uid=1499224356&fsize=294&hid=327314be4de311345166590e20d0bdcd&media_type=image&tknv=v2&etag=0bd221e3de6b474e1e68f5419b7cd576&rtoken=XVCBNaq36j8M&force_default=yes&ycrid=na-7ac6f63d70617fb077abb5270e766e5d-downloader12h&ts=5d27b21d57180&s=0b675d9c788808b95cef6ce2659aa6b45f1454844f19efec18bb1ad1df29ad2e&pb=U2FsdGVkX18R5qfWe_Uf_MK4lpJRNCLhrka44f84jG-tHJUcRGIL1YNhnAbhuHPVNNDDEGjlHOvt0BtdmCm-k8M2GRf7sG1O6ap9DHR6HLQ

And in this case, it is almost the same as the first finding above, AUTOMATICALLY FILE DOWNLOAD :’(

I’m more and more curious about how to open the FILE in the Attachment feature?

When looking at the URL of the FILE LOCATION, I found a suspicion about its parameter, namely &disposition=attachment parameter

After figuring out the cause, and the final result of the solution to this problem is to remove the attachment from the &disposition= parameter.

Let’s see how it responds when attachment is removed from &disposition= parameter :)

https://s313myt.storage.yandex.net/rdisk/b5d121e5c0ed783e5a3d93394bd9a645d3fabf3b1bcad0b12b55508272dc3866/61ae1f16/XgR-PzzRjV9rEblGC_CTo8TxuE3h1SLN-dVO4fIBvSGuTD1V1p9nCR3G01QwSxwrzNzC3HwVL7Ak5mynbK9Dtw==?uid=1499224356&filename=ke35uucbtdmo55zdoxifa&disposition=&hash=&limit=0&content_type=image%2Fsvg%2Bxml&owner_uid=1499224356&fsize=294&hid=327314be4de311345166590e20d0bdcd&media_type=image&tknv=v2&etag=0bd221e3de6b474e1e68f5419b7cd576&rtoken=XVCBNaq36j8M&force_default=yes&ycrid=na-7ac6f63d70617fb077abb5270e766e5d-downloader12h&ts=5d27b21d57180&s=0b675d9c788808b95cef6ce2659aa6b45f1454844f19efec18bb1ad1df29ad2e&pb=U2FsdGVkX18R5qfWe_Uf_MK4lpJRNCLhrka44f84jG-tHJUcRGIL1YNhnAbhuHPVNNDDEGjlHOvt0BtdmCm-k8M2GRf7sG1O6ap9DHR6HLQ

Succeed :)

Finally I found my second XSS STORED on YANDEX.

TIMELINE :

Report : 29/11/2021

Valid : 30/11/2021

Rewards : Hall Of Fame

--

--