SearchIt reflects your query into the page with no escaping. Craft an XSS payload, send it to the bot endpoint, and steal the admin's session cookie.
