Reflected XSS in

The first place where I started looking for a JavaScript code injection on was a search box. Surprisingly, it was a bull’s eye.

I typed „Gold” and hit „Search” button. I was redirected to:

Then I looked in the source code. It seemed that every checkbox (e.g. „Auction„, „Buy It Now” and so on) had a dynamically generated URL:

<a href="">

What I had found interesting was a part after the search query („gold„) which was absent in the webbrowser’s address bar:


So I simply tried to abuse it with a value of:

" onclick=alert(document.cookie) x="

In the address bar of my webbrowser I typed:" onclick=alert(document.cookie) x="

After clicking „Auction” or „Buy it Now” checkbox my cookies showed up in an alert box.


This got me listed on ebay’s Security Researcher’s Acknowledgment page.

Bug’s lifespan:

[January 23rd 2013] - first report
[March 5th 2013] - second report after no response
[April 2nd 2013] - bug fixed


Dodaj komentarz

Twój adres email nie zostanie opublikowany. Pola, których wypełnienie jest wymagane, są oznaczone symbolem *