1) Cross-Site Flashing - wordstat.yandex.com
Bug in ammap.swf, that allows us to use configuration files from external resources, modify Flash content and of course - abuse it. :)
This resource is removed at the moment, but here you have payload URL I used:
Configuration files: yandex.xml oraz evil_data.xml
First - check the context menu and new option - 'Download users database from this region' ;)
After clicking - our "database" is prepared to download - information in bottom of site.
When progress is 100% - our payload is executed.
2) Stored XSS - Yandex Maps
I provided short PoC video:
3) Mixed-content - Yandex Video
This one wasn't rewarded and in fact - all modern browsers blocks mixed-content at the moment (also Firefox). Demonstration video just for education purposes and fun ;-)