In Sept. 2013 I found Reflected XSS in www.ebay.com. Why writing it up now? Because I didn’t want to “showoff” for reasons. Enough with the drama :D. Let’s get to the point.
So I was looking at all the names in Hall of fame of different sites. On Ebay’s Security Researcher page, I thought the list is long but I want my name in the list.
So I started playing with all the GET parameters and came to this possibly vulnerable page.
<span title='XSS HERE'> XSS HERE </span>
List of hurdles:
- Affected area lies within hidden span (
display: none, no mouse events)
Because parent span had CSS style
display: none , it was not possible to trigger event. Neither it was possible to make the affected span visible because of the same reason. Though I tried it by adding style attribute. I tried all other payload, say it be onload / onerror events or data: URI in style attribute. But after a little research; OK OK after 8 hours of research I came upon a CSS expression payload.
Aaand it worked! Not in Firefox and Google Chrome, but in Internet Explorer. Yes I had to use Internet Explorer because of compulsion. But that was enough for me.
So I reported it and after a month they fixed it and I got a reply from them.
and that’s how I got my name in the list. Here it is.