HashFlare

Cross-Site Scripting Vulnerability in sell.eBay.in

Hello guys,

As always, I was a bit lazy (actually very lazy) in writing a blog post on one of my findings on eBay.in.



Bug Type : Cross Site Scripting (Persistent XSS)
Checked in : Firefox
OS : Windows 7

 Description of Vulnerability :
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.


Impact of Vulnerability :
By exploiting this vulnerability, one can redirect a user to a malicious page and even can steal the session.

Proof-of-concept Video :


Steps to Reproduce :
1. Open http://sell.ebay.in/sell and click on start selling.
2. Select any category. On the item details page.
3. In the description, enter this payload - <
4. List the item.
5. Open the item page. Pop-up occurs.

Timeline
*. Found : 24 March 2016 (2:42am)
*. Reported : 24 March 2016 (2:45am)

Well, the reply was that this is an functionality we provide. And is not eligible for any kind of reward. :p Why to allow Javascript in the Description. HTML is enough.

No problem! I found it atleast. :p :D
Previous
Next Post »

Subscribe to our mailing list

* indicates required
Select your Interested Topics.