Is the search done with GET or POST? I’m guessing GET, but just to be sure…

Yes, it’s GET.

EDIT:
If my input is this:
'';!--"<XSS>=&{()}
The output is:
\'\';!--\"<XSS>=&{()}
(In source code)
and:
\'\';!--\"=&{()}
(On the page)

So I can for example have this in the source code:
<script>alert(document.domain);</script>
But nothing will happen.

Is that the only parameter in the form?

Yes it’s the only parameter

So the problem is that nothing happens? Can you still paste more about the context where the injected code is? maybe 1-2 lines around it, or even the whole line it is on?

If my input is:
<script>alert(document.domain);</script>
The source code looks like this:
```

If my input is this:
\'\';!--\"<script>alert(document.domain);</script>
The site actually finds something and I got the script twice in the source code:
```

You aren’t trying it on chrome, are you?
If you are, check that the javascript console doesn’t give you the following error:
“Refused to execute a JavaScript script. Source code of script found within request”

Ah, thank you very much. I did it on chrome but didn’t check the console once..
So you’re right I get the error.

With IE it ‘works’ but just when putting it directly in the search box not with the link.
Is there a way to avoid that IE blocks it?

Chrome has since version 11 been using something called “XSSAuditor” (I think this feature is in the webkit engine, so it should also be used by Safari) that basically prevents javascript that is in the request (as in passed in the url for example) to run. IE has actually had an xss-filter since version 8, which is quite surprising imo.

The webkit filter is not designed to catch everything, they have said this themselves, and currently it only filters individual parameters. So if you managed to find two un-escaped variables it shouldn’t be too much of a problem to get past. That would probably be one way to get around the IE filter as well. Other than that you could try googleing for ways, this article seems quite interesting.

Thank you very much, will take a look at it, sounds interesting.
Might help a lot..

ColdIV you can disable it from cmd

Disable it on windows.

1. Run Command Prompt(Windows vista and 7 click Start and type cmd.exe hit enter for Windows XP click Start go to Run and type cmd.exe hit enter.)

2. enter the following command and then press enter. :

C:\Users\your comp username here\AppData\Local\Google\Chrome\Application\chrome.exe –args –disable-xss-auditor

1. Google Chrome will open. Go to a XSS vulnerable website, type your xss vector and execute your xss. It should now pop up your vector.

Well yeah that’s good to know but won’t work if I want to send the script to someone else I guess, because he would have to do the same too.
Thanks anyway for telling me! Nice for testing.