DOMSDAY Analyzing a DOM-Based XSS in Yahoo!


Analyzing a DOM-Based XSS in Yahoo!



hello again to all great readers

before going future i want talk a bit about abysssec.  i want to talk about abysssec, in 5 years I worked as a CTO In abysssec and I had a very great the time in team. What I want to write now is actually my last post (as CTO) from abysssec team (maybe i write as guest in future). that’s it after ~5 year I finally want to leave home to new home with best wishes for abysssec new management team. so good or bad i hope you enjoyed my works i as did in abysssec. abysssec team will work as always and like before just with new management team as will share information just like before.

So finally you can follow me on twitter with @ShahinRamezany  (@abysssec account twitter will be managed by new management team) for my new company news and also our long waited training classes.


Yahoo! vulnerability :

as you may read in news Yahoo! recently fixed a DOM-based cross site scripting in one of  strongly used JS files. and as i promised i want share PoC and step by step article about finding and exploiting this vulnerability.

so here is paper abstract.


As a security researcher in my free time I spend my time on both application and web application security. During one of my researches while I was focusing on auditing JavaScript codes I spent some time on Alexa top ranks and their JS libraries to see what I can find in theme. So I started working on apple, FaceBook, Yahoo! I just surprised I found few issues on all of them! And in this article I want to explain one of my cool findings on Yahoo! Mail which can be used to completely compromise an account.

According to Wikipedia[1], Yahoo mail has around 310 million users in October 2011 so any serious vulnerabilities puts millions of users in risk. Finding XSS in Yahoo! is not a new thing and is not that so hard. Reason of creating this article is not just proofing Yahoo! is vulnerable and it’s about how easy is to find and exploit vulnerabilities in well-known websites.

So in this short paper we will review on 5 steps.

  • Introduction
  • Step I   : Steps to finding vulnerability
  • Step II  : Triggering and analyzing the vulnerability
  • Step III : Exploiting the vulnerability
  • Step IV : Hijacking user accounts
  • Step V  :  Patching the vulnerability
  • Yahoo incomplete patch
  • Appendix : Demo
  • Appendix II  : Dominator to rescue
  • Credits / References

Paper Download link!_DOMSDAY.pdf


PoC Demo


you can watch demo here :

also you can download it from here

update : youtube removed video after ~30K  viewers and i don’t know why …

press links :


i know it’s too late but happy new years !

be safe
Shahin Ramezany



20 ways to php Source code fuzzing (Auditing)

Hello .

This article is only for who attend php as well and really knowing how to program In PHP.

When we talk about PHP Vulnerability discovery, we forget this Question:
What types of bugs?

When we can answer this Question, we will gain to find vulnerability as well as drink some water.

Reading in  this article :

Section 1 : (20 ways to PHP source code Auditing – PHP Fuzzing)
1- Cross Site Scripting
2- SQL Injection [medium]
3- HTTP Response Splitting [Medium]
4- Dynamic Evaluation Vulnerabilities [High]
5- Process Control / PHP Code Injection (HIGH)
6- Local / Remote file inclusion (High)
7 – File Management (HIGH)
8- Buffer overflows (High, But Hard Usage)
9- Cookie / Session injection / Fixation / [High]
10 – Denial Of service [Medium, But Hard Assessment]:
11 – XPath Injection [XML Functions]
12 – Often Misused: File Uploads (High)
13 – Un-Authorize summon of Functionality / File (Medium)
14 – Authentication Bypass with Brute Force (Low)
15 – Insecure Randomness Session / Cookie / Backup files (Medium)
16 – Informative details in HTML Comments (Low)
17 – Default unnecessary installation files (medium)
18 – Regular Expression Vulnerability (High)
19 – Resource Injection (Medium)
20 – Week Password / Encryption: (Low)

Section 2:
Automatic PHP Auditor source code

This article is not a full reference about PHP source code security review (a.k.a auditing) but I tried to do this work in my short time as well. So please take my apology about all of mistakes (maybe) I made during completing this article.  I’m not sure but maybe I’ve release future version of this article that contain a few more advanced methods.

Here is some of future talk and topics may I add this article in next version:
1-    More Real world Attack with Description
2-    PHPIDS Defense.
3-    More Dangerous Functions: CURL – socket – creat_function & ….
4-    Talk About pear functions and security of used.
5-     Information About Books of PHP Securea Coding.
6-     And ETC

Download :





Get Adobe Flash player