Vulnerability Exploited : cross site scripting using csrf
Impact :The attacker can access the victim's cookies associated with the website using document.domain, send them to his own server, and use them to hijack the session of target user. An attacker can also register a keyboard event listener using addEventListener and then send all of the user's keystrokes to his own server, potentially recording sensitive information such as passwords and credit card numbers.
Payload : <script>alert(document.domain>
step to reproduce: 1) login the URL https://gratipay.com. 2) go to search button. 3)use the proxy like burp suit.and intercept the request of search box. 4)generate the csrf code ,then after write in search to above payload. 5) csrf text file run in the browser 6) you can see that cross site scripting.