Cross-Site Scripting Vulnerability in sell.eBay.in
Hello guys,
As always, I was a bit lazy (actually very lazy) in writing a blog post on one of my findings on eBay.in.
Checked in : Firefox
OS : Windows 7
Description of Vulnerability :
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.
Impact of Vulnerability :
By exploiting this vulnerability, one can redirect a user to a malicious page and even can steal the session.
Proof-of-concept Video :
OS : Windows 7
Description of Vulnerability :
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.
Impact of Vulnerability :
By exploiting this vulnerability, one can redirect a user to a malicious page and even can steal the session.
Proof-of-concept Video :
Steps to Reproduce :
1. Open http://sell.ebay.in/sell and click on start selling.
2. Select any category. On the item details page.
3. In the description, enter this payload - <
4. List the item.
5. Open the item page. Pop-up occurs.
Timeline
*. Found : 24 March 2016 (2:42am)
*. Reported : 24 March 2016 (2:45am)
Well, the reply was that this is an functionality we provide. And is not eligible for any kind of reward. :p Why to allow Javascript in the Description. HTML is enough.
No problem! I found it atleast. :p :D
I am an engineer who admires technology and related stuff. Apart from tech, I play badminton, love swimming, am foodie and a big Harley Davidson fan.
ConversionConversion EmoticonEmoticon