Hi. I found a website which has a search bar. The search bar sends a GraphQL query for each input change. If it does not find something, it will return with the exact search query and display ‘No results found …”, where ‘…’ is the search query.
If I put the search with a script tag that alerts something and some other specific words, it will return the query and run it on the browser and the alert shows. The thing is, I am not really sure how GraphQL works. The URL of the webpage does not change. I can also see that a GraphQL query was made and it returned the search query (through Chrome Dev Tools Network tab).
Would this be considered an XSS vulnerability?