Reflected XSS in ebay.com

medium.com · devanshbatham/Awesome-Bugbounty-Writeups · 23 hours ago · bug-bounty
quality 6/10 · good
0 net
AI Summary

A reflected XSS vulnerability discovered in eBay's search parameter (LH_SpecificSeller) that bypassed character filters (<, >, comma) by leveraging CSS expression payloads in Internet Explorer. The exploit worked despite the vulnerable code being inside a display:none span by using style="xss:expression()" to execute arbitrary JavaScript.

Tags
reflected-xss xss ebay css-expression internet-explorer bug-bounty parameter-injection whitehat
Entities
eBay Sukhmeet Singh Internet Explorer
Reflected XSS in Ebay.com | by Sukhmeet Singh - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Reflected XSS in Ebay.com In Sept. 2013 I found Reflected XSS in ebay.com. Here's how I triggered XSS in a `display:none` span without using <> Sukhmeet Singh Follow ~3 min read · July 22, 2019 (Updated: December 11, 2021) · Free: Yes In Sept. 2013 I found Reflected XSS in www.ebay.com. Why writing it up now? Because I didn't want to "showoff" for reasons. Enough with the drama :D. Let's get to the point. So I was looking at all the names in Hall of fame of different sites. On Ebay's Security Researcher page, I thought the list is long but I want my name in the list. So I started playing with all the GET parameters and came to this possibly vulnerable page. URL: http://www.ebay.in/sch/Coins-Notes-/11116/i.html Vulnerable parameter: LH_SpecificSeller Reflected Code: XSS HERE List of hurdles: < > and , are removed Affected area lies within hidden span ( display: none , no mouse events) Because parent span had CSS style display: none , it was not possible to trigger event. Neither it was possible to make the affected span visible because of the same reason. Though I tried it by adding style attribute. I tried all other payload, say it be onload / onerror events or data: URI in style attribute. But after a little research; OK OK after 8 hours of research I came upon a CSS expression payload . http://www.ebay.in/sch/Coins-Notes-/11116/i.html?LH_SpecificSeller=1..xss'+style="xss:expression(prompt(1))"+id='1 Aaand it worked! Not in Firefox and Google Chrome, but in Internet Explorer. Yes I had to use Internet Explorer because of compulsion. But that was enough for me. So I reported it and after a month they fixed it and I got a reply from them. and that's how I got my name in the list . Here it is. #bug-bounty #ebay #whitehat Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories