Stored XSS on the DuckDuckGo search results page

This XSS was accidental. For whatever reason, I was messing about with the searchbar, putting various payloads into it without expecting to find anything. So eventually, I put in the following payload into the searchbar:

"><img src=x>

And of course, nothing happened. But something caught my eye.

In specifically the Urban Dictionary results, something was weird. It looked like there was a HTML injection. Surely not, right? This is DuckDuckGo we're talking about.

Sure enough, looking into the source HTML, it was real. There was a HTML injection taking place in that little green URL. The Urban Dictionary URL itself was doing no encoding, and DuckDuckGo failed to sanitise it properly, so HTML was rendering. After confirming this, it was just a matter of finding a URL with an XSS payload.

And it worked. The alert popped up.

This wasn't just limited to Urban Dictionary - it rendered a Bitdefender profile URL as well. The attack vector may be a bit weird - to exploit this, an attacker would have to get their URL to the top of the search results for a given search term, then send a victim a DuckDuckGo URL for that search term- but nonetheless, it's there. XSS on the main DuckDuckGO search results.

I reported this to the DuckDuckGo VDP on Hackerone, and after a day or two it was triaged as the Hackerone triager was able to reproduce it on their end. I put "Reflected" in the title, but this isn't really a reflection - this is more persistent. About two weeks later, I tried again and the alert didn't pop. I asked the triage team, and apparently this behaviour had been seen before, but had resolved itself by the time their team had gotten around to dealing with it. Fortunately, the Hackerone triager had been able to reproduce this at the time of my report. A very weird conclusion to a very weird XSS.

DuckDuckGo rewarded me with swag, which was my first swag on Hackerone. The triage team were helpful and reasonably quick to respond throughout. You can read the original report here: https://hackerone.com/reports/1110229

So there you have it. XSS on DuckDuckGo. Until next time, sayonara. :)

Monke

Monke

Ireland
I'm a college student studying Computer Science.