Muhammad Nizar discovered that the search-results endpoint on the Mars website was vulnerable to both HTML injection and Reflected Cross-Site Scripting (XSS).
After discovering that basic XSS attempts were blocked by Cloudflare’s web application firewall (WAF), Nizar discovered that converting the payload to uppercase was sufficient to bypass the filter and trigger the XSS.
Nizar also provided a reference payload that leverages SVG tags to steal cookies: when loaded, the payload reads the cookies using document.cookie and sends them to a remote server.
The vulnerability has since been fixed and resolved.