Reflected XSS in Ebay.com

Sukhmeet Singh
Jul 22, 2019 · 3 min read
Image for post
Image for post

In Sept. 2013 I found Reflected XSS in www.ebay.com. Why writing it up now? Because I didn’t want to “showoff” for reasons. Enough with the drama :D. Let’s get to the point.

So I was looking at all the names in Hall of fame of different sites. On Ebay’s Security Researcher page, I thought the list is long but I want my name in the list.

Image for post
Image for post

So I started playing with all the GET parameters and came to this possibly vulnerable page.

URL: http://www.ebay.in/sch/Coins-Notes-/11116/i.html

Vulnerable parameter: LH_SpecificSeller

Reflected Code:

<span style="display:none">
<span title='XSS HERE'> XSS HERE </span>
</span>

List of hurdles:

  1. < > and , are removed
  2. Affected area lies within hidden span (display: none, no mouse events)

Because parent span had CSS style display: none , it was not possible to trigger event. Neither it was possible to make the affected span visible because of the same reason. Though I tried it by adding style attribute. I tried all other payload, say it be onload / onerror events or data: URI in style attribute. But after a little research; OK OK after 8 hours of research I came upon a CSS expression payload.

http://www.ebay.in/sch/Coins-Notes-/11116/i.html?LH_SpecificSeller=1..xss'+style="xss:expression(prompt(1))"+id='1
Image for post
Image for post

Aaand it worked! Not in Firefox and Google Chrome, but in Internet Explorer. Yes I had to use Internet Explorer because of compulsion. But that was enough for me.

Image for post
Image for post

So I reported it and after a month they fixed it and I got a reply from them.

Image for post
Image for post

and that’s how I got my name in the list. Here it is.

Image for post
Image for post
Image for post
Image for post

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store