Tuesday, October 29, 2013

eBay XSS finding

I would like to elaborate the reflected XSS finding that I have reported to eBay during the bug bounty program.

While I was playing with the proxy, I focused on the value of the parameter cb (refers to callback) in the request sent to the URLs

I noticed that value is returned in the response in a JavaScript context without filtering or encoding in both URLs. Here's a snippet from the request sent to the rewards page with a sample injection  alert(123); in the cb parameter

GET /ws/eBayISAPI.dll?GetRewardsInfo&item=121071656603&ShowRewards=true&isBucksNew=true&isInvited=false&baseOffer=2&bucksLink=http://my.ebay.com/ws/eBayISAPI.dll?RewardsIntEnroll&CTASignup=false&ExtLanding=false&ssPageName=VI:joinrewards&isEnrolled=false&isClosedVI=false&myebayBucksLink=null&ShowCoupon=false&IsBidFlow=true&ShowBML=true&IsViewItem=true&item=121071656603&cb=alert(123);jQuery1707709477525318212_1361715451002 HTTP/1.1
Host: rewards.ebay.com

The injected value returned in a JavaScript response without filtering or encoding as shown below


No tags are needed in the injected string because the context of the response is already JavaScript.

For a proof of concept: I did the following steps:

1-    Navigated to www.ebay.com
2-    Searched for an item
3-    Clicked on one of the resulting items
4-    Used a proxy to tamper the parameter “cb” while calling http://rewards.ebay.com/ws/eBayISAPI.dll?GetRewardsInfo
5-    The script got executed as shown below:

eBay fixed the issue and added my name to their hall of fame list over http://pages.ebay.com/securitycenter/ResearchersAcknowledgement.html 

Bug bounty program rules for eBay is available on http://pages.ebay.com/securitycenter/Researchers.html

1 comment: