Another Ebay permanent XSS

Written by KF

Tuesday, 13 November 2012

The Indian security researcher Shubham Upadhyay aka Cyb3R_Shubh4M, sent us a new permanent XSS affecting the products listings on

He explained to us how to reproduce it:

I've found a critical persistent xss bug on ebay. for that you need a seller account "Once you login to your seller account on eBay, create a listing for sale". Now in edit HTML put the xss code: '"--></style></script><script>alert("XSSed by Cyb3R_Shubh4M")</script> and then preview your listing and b00m ! 

Here is the page where he injected his code:

The mirror is available here:

It sometimes gets executed in another subdomain with an iframe (in Google Chrome), but we could test it successfully on Firefox with the javascript code being executed on the domain. Also, after clicking on "print", we get a temporarily link like this one:

Which interprets the code in the domain on all browsers. Mirror:

According to the researcher, it also gets executed in the domain when logged in the seller account!

Thanks for sharing this interesting finding!

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.