Our community has moved to Discord. Join us there!
Cybr.com/Discord
These forums are still up for historical purposes.

Home Page Forums General Discussions Would “Search Bars” be considered Self-XSS ?

  • Would “Search Bars” be considered Self-XSS ?

    Posted by Deleted User on June 25, 2021 at 5:39 pm

    I have made this mistake before, so i am just curious when starting on a new target would the search bar be a place to avoid ?

    Christophe replied 3 years, 3 months ago 2 Members · 1 Reply
  • 1 Reply
  • Christophe

    Administrator
    July 12, 2021 at 7:50 pm

    Search bars can be a great place for reflected XSS, since they usually also change the URL as you search. So for example, say we had this search endpoint:

    cybr.com/search/

    When we’d type something in the search bar, we might see this happening to the URL:

    cybr.com/search/?q=example search query

    If you managed to find an XSS vulnerability through the search bar, and you could copy/paste the URL containing your payload, you could send it to a victim, and if they clicked on it, they’d trigger the XSS:

    cybr.com/search/?q=<script>alert(1)</script>

Log in to reply.