Persistent DOM XSS on ebay.com domain.
In details... :)
One of my hobbies, is selling on ebay.
In January 2015, i've analyzed creation of selling page, and how it's handled by ebay.com.
It's ok, it's "secure".
By analyzing that script, i've notices that there presents postMessage function:
and... if there is postMessage, so somewhere should be some kind of receiveMessage().
There are a lot of postMessages, and i've decided to search by domain name.
Let's search for vi.vipr.ebaydesc.com in all resources:
then it's key 'tgto' as origin:
Bingo! There are two variables that are rendered to the client!
Now i need to write a working XSS for it with some evasions, because of simple filtration...
_odtTitle='\<script\>alert(\'xss by alexander korznikov\\n\\n\'\+document.domain);\<\/script\>';
Encoded with base64 and appended to listing description in <script> tag:
Thank you eBay for this cool challenge! :)
P.S. But why did you managed to fix it for one year?
Hope they paid you well for it. Over a year to fix such vulnerability is an outright joke.ReplyDelete
Unfotrunately they don't have money bugbounty program. All I've got it's a hall of fame...Delete
That is a shame, but good research anyway, thanks for sharing.Delete