Last year (Sept. 2013) I found XSS vulnerability in www.ebay.com. Why writing it up now? Because I didn’t want to “showoff” for reasons. Enough with the drama :D. Let’s get to the point.

So I was looking at all the names in Hall of fame of different sites. On Ebay’s Security Researcher page, I thought the list is long but I want my name in the list.
So I started playing with all the GET parameters and came to this possibly vulnerable page.

URL: http://www.ebay.in/sch/Coins-Notes-/11116/i.html

Vulnerable parameter: LH_SpecificSeller

Reflected Code:

<span style="display:none"> <span title='XSS'> XSS HERE TOO </span> </span>

List of hurdles:

• < > and , are removed
•  Affected area lies within hidden span (display: none / no mouse events)

Because parent span had CSS style display: none , it was not possible to trigger event. Neither it was possible to  make the affected span visible because of the same reason. Though I tried it by adding style attribute. I tried all other payload, say it be onload / onerror events or data: URI in style attribute. But after a little research; OK OK  after 8 hours of research I came upon a CSS expression payload.

http://www.ebay.in/sch/Coins-Notes-/11116/i.html?LH_SpecificSeller=1..xss’+style=”xss:expression(prompt(1))”+id=’1

Aaand it worked! Not in Firefox or Google Chrome, but in Internet Explorer. Yes I had to use Internet Explorer because of compulsion. But that was enough for me.

So I reported it and after a month they fixed it and I got a reply from them.

and that’s how I got my name in the list. Here it is.