Algolia: Stored XSS from Display Settings triggered on Save and viewing realtime search demo

ID H1:156387
Type hackerone
Reporter ctee
Modified 2016-09-07T08:34:23


Here are the steps to trigger the XSS:

  1. Create a JSON record that will contain the following attribute: {"<img src=1 onerror=alert(document.domain)>": "XSS attribute"}

  2. Go to Indices -> Display and select the attribute <img src=1 onerror=alert(document.domain)> under Attributes for Faceting and click save.

  3. Note that XSS is triggered multiple times on that page.

  4. XSS is now triggered on as it also shows the attribute.

  5. Create a public UI Demo and to the public url, xss is triggered. I've created a demo url: