Friday, February 8, 2013

eBay XSS vulnerability

How about finding a vulnerability in the biggest online marketplace in world?

When searching on eBay I found out that it's possible execute a XSS vulnerability on their job search section.

Proof of concept:
On Ebay Careers, you clicked on the Search Openings and on the Requisition No. you wrote the XSS vector:
<img src=x onerror=prompt("xss");> 

Clicked Search. The following screen doesn't execute the XSS but when you click:
?more would open a new window with the XSS executing.

This issue has been fixed and some pages removed.

I want to thank eBay security team for the fast reply and putting me on their Security Researchers Acknowledgment page. By the way, I'm the first portuguese guy in the list...

No comments:

Post a Comment