A reflected XSS vulnerability discovered in eBay's search parameter (LH_SpecificSeller) that bypassed character filters (<, >, comma) by leveraging CSS expression payloads in Internet Explorer. The exploit worked despite the vulnerable code being inside a display:none span by using style="xss:expression()" to execute arbitrary JavaScript.
A reflected XSS vulnerability was discovered in eBay's mobile application through improper sanitization of the itemId parameter, allowing arbitrary JavaScript execution via crafted URLs. The vulnerability was manually identified through input tampering and successfully reported to eBay's security team.
A persistent XSS vulnerability on eBay's My World profile section exploited a blacklist-based HTML filter that failed to block deprecated tags like <plaintext>, <fn>, and <credit>. The attacker chained this with event handlers, String.fromCharCode/eval to bypass character limits, missing CSRF protection, and unHTTPOnly cookies to create a self-propagating worm that could steal session tokens.