XSS on yandex.ru

    Yesterday, a friend of mine (LMaster) found passive XSS on Yandex. A specially formed address passed to the victim allows you to steal cookies. The GET add parameter is not filtered. To trigger the script does not require any user action.
    Request: PS He himself does not have access to the hub The main theme . UPD: The vulnerability is closed. This has already been reported in the comments. Please do not create hundreds of answers: “Does not work!”
    _http://www.yandex.ru/?add=3188">&edit=1





    Also popular now: