Reflected XSS in Ebay.com

Sukhmeet Singh
Jul 22 · 3 min read

In Sept. 2013 I found Reflected XSS in www.ebay.com. Why writing it up now? Because I didn’t want to “showoff” for reasons. Enough with the drama :D. Let’s get to the point.

So I was looking at all the names in Hall of fame of different sites. On Ebay’s Security Researcher page, I thought the list is long but I want my name in the list.

So I started playing with all the GET parameters and came to this possibly vulnerable page.

URL: http://www.ebay.in/sch/Coins-Notes-/11116/i.html

Vulnerable parameter: LH_SpecificSeller

Reflected Code:

List of hurdles:

  1. < > and , are removed
  2. Affected area lies within hidden span (display: none, no mouse events)

Because parent span had CSS style display: none , it was not possible to trigger event. Neither it was possible to make the affected span visible because of the same reason. Though I tried it by adding style attribute. I tried all other payload, say it be onload / onerror events or data: URI in style attribute. But after a little research; OK OK after 8 hours of research I came upon a CSS expression payload.

Aaand it worked! Not in Firefox and Google Chrome, but in Internet Explorer. Yes I had to use Internet Explorer because of compulsion. But that was enough for me.

So I reported it and after a month they fixed it and I got a reply from them.

and that’s how I got my name in the list. Here it is.

Sukhmeet Singh

Written by

https://twitter.com/MadGuyyy

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade