Written by Gábor Pék

In our previous blog, we gave you a small introduction to Cross-site Scripting (XSS) attacks and added some easy challenges to get a taste of web security. It seems, however, that XSS is still one of the top vulnerabilites on the web. An attack against Yahoo Mail and various sandbox escape techniques keep this this topic hot.
We took the opportunity to prepare a small XSS gift for you for Christmas ????
XSS vulnerability in Yahoo Mail
This year was really interesting in terms of real use-cases. One of the most recent findings was described by Jouko Pynnönen about a stored XSS vulnerability in Yahoo Mail. According to JP’s blog “The flaw was reported to Yahoo Security via HackerOne on November 12 and fixed on November 29, 2016. Yahoo awarded a bounty of $10,000 for the finding.” In short, an attacker could perform a DOM-based XSS attack via dynamically generated HTML markups controlled by user-supplied values that were not properly sanitized.
AngularJS
Another interesting issue was when the AngularJS team decided to remove their “expression sandbox” from AngularJS 1 after reporting escapes for all AngularJS 1 versions. It’s important to emphasize that this sandbox was never intended to provide real protection against XSS attacks. It rather misled developers who kept relying upon it as a security feature.
Javascript function overrides
There are other XSS mitigation techniques such as Javascript function overrides, but these also failed to provide long-term XSS protection. A recent blog entry on brutelogic.com suggests to use iframes to bypass the protection provided by “js-override.js”.
Practice with us!
You can see that XSS is still hot and it makes total sense to arm yourself against it. Try your skills again by solving our Avatao XmaSS challenge. Enjoy!
If you like our posts and challenges, follow us on Twitter and Facebook for the most recent updates.
We wish you a Merry Christmas!
Related Articles
API vulnerability: Wild card to win USPS customer data
Reading Time: 3 minutes The US Postal Service launched its Informed Visibility program last year to provide better insight into their mailstream service. For example, one can obtain near real-time notifications about delivery dates and identify trends. However, they have made much more data available than intended, at least 60 million customers were exposed to anyone who is registered on http://www.usps.com.
How I could have stolen your photos from Google – my first 3 bug bounty writeups
Reading Time: 8 minutes IT security is a really huge topic and until you find your first bug you can’t be sure that you have the required amount of knowledge, luck, and patience. Joining the club of bug bounty hunters as a newbie is hard, so let me share my story with you.
The three fatal bugs behind the Facebook breach
Reading Time: 5 minutes The Facebook breach was discovered after the social media company saw an unusual spike of user activity that began on September 14, 2018. A few days later, on Tuesday, September 25, Facebook’s engineering team discovered an unprecedented security issue, that affected about 30 million users. The social media giant says the flaw has been patched, but the people behind this attack are still unknown.