Due to design defects of Baidu applications, the baidu.com domain xss can be constructed at will.
When we search for "linux Command Daquan" on Baidu, a Baidu application will appear.
This application has an injection vulnerability, which is not a Baidu error.
However, after we write the injection point as the hex of xss code
The cookie in the baidu domain will pop up directly. Why? Let's take a look at the process. The original url of this application is like linuxso.duapp.com, And the cookie is definitely not in the baidu domain.
But in Baidu search results show that a proxy is turned into a https://sp0.baidu.com/5aU_bSa9KgQFm2e88IuM_a/linuxso.duapp.com/index.php? Key = ls % 27 + and + 1 = 2 + union + select + 1, limit % 23
We all know the result. This is just an example. If we forge an app online and contain obvious vulnerabilities, we can construct the xss of baidu.com at will.
Solution:
Redesign process