A quick scan of eBay's network range got me to this server (anywhere.ebay.com). The server displayed eBay's front page and logo:
Browsing in the pages, I noticed the cookie "Country" which was reflected to the page as a part of a javascript code block AND a navigation href attribute. Surprisingly, no input validation was initiated, having an attacker to safely inject javascript into the page. Needless to say that the cookie was reflected in any page of the server.
Fix: Cookie parameter is now set to 0 and input validation was set.
<script type="text/javascript">
// share values with the client side
isIE9 = 1;
country = 0;
currentPage = 'all'; // not dynamic
trackingCode = '711-117568-2056-0';</script>
Timeline:
Me: May 30,2014 - XSS was discovered
eBay: May 30,2014 - Automatic Reply that the case is open
eBay: July 18,2014 - First Update:
Bug Type: XSS
URL: http://anywhere.ebay.com
Status: Validated and Awaiting Fix
eBay: Aug 10,2014 - Issue fixed. Bounty received. (***$)
eBay: Oct 21,2014 - Acknowledgement was sent. (Happy birthday to me).
Thank you.
eBay: Oct 21,2014 - Acknowledgement was sent. (Happy birthday to me).
Thank you.
No comments:
Post a Comment