Reflected XSS on secnews.gr

For those who don't know, SecNews is a greek website which informs their visitors about the latest news in the Hacking & IT Security industry. While looking on HackerOne, I noticed they had published a bug bounty program, and decided to take a look. I entered a generic xss payload (<b onmouseover=alert('test')>test</b>) in the search bar, and was surprised to see the following output:



Unfortunately, when I dragged my mouse over 'test' nothing happened. I tried other payloads, and had no success. Then I thought, why not see if  'test' is being treated as HTML code. So the next payload I entered (<b onmouseover=alert('test')><h1>test</h1></b>) returned:



Now to escalate this to XSS all I had to do was enter <b onmouseover=alert('test')><body onload=alert(1)></b>





Success! After further testing, I reduced the payload to: '><body onload=alert(1)>