Stored XSS on Search Engine

Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.

Sunil Katakdhond
Last updated on Jan 25, 2021 1 min read

Overview

Stored XSS vulnerability was found on Qwant search engine on February 2020 and was fixed in few hours after the triage

Proof of Concept

  1. Create a blog or website with XSS payload as a title name. I created account on www.prezi.com & add the blog with title as XSS payload.

  1. Wait for few days to get your website crawl by the search engine crawler. It took 8 days to crawl & list the website on Qwant search engine crawler.
  2. Search the website name. As you can see XSS payload is executed on the browser.

BugBounty XSS YesWeHack
Sunil Katakdhond
Sunil Katakdhond
Cyber Security Analyst - Penetration Tester

My research interests include Penetration Testing, Exploit Development and IT Infrastructure Security.