Exploit the possiblities

PayPal.com Cross Site Scripting

PayPal.com Cross Site Scripting
Posted May 26, 2013
Authored by Robert Kugler

PayPal.com suffers from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | e0510a6ae665212350dde6d7b1af5ab8

PayPal.com Cross Site Scripting

Change Mirror Download
Hello all!

I'm Robert Kugler a 17 years old German student who's interested in
securing computer systems.

I would like to warn you that PayPal.com is vulnerable to a Cross-Site
Scripting vulnerability!
PayPal Inc. is running a bug bounty program for professional security
researchers.

https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues

XSS vulnerabilities are in scope. So I tried to take part and sent my find
to PayPal Site Security.

The vulnerability is located in the search function and can be triggered
with the following javascript code:

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

https://www.paypal.com/de/cgi-bin/searchscr?cmd=_sitewide-search

Screenshot: http://picturepush.com/public/13144090

Unfortunately PayPal disqualified me from receiving any bounty payment
because of being 17 years old...

PayPal Site Security:

"To be eligible for the Bug Bounty Program, you *must not*:
... Be less than 18 years of age.If PayPal discovers that a researcher does
not meet any of the criteria above, PayPal will remove that researcher from
the Bug Bounty Program and disqualify them from receiving any bounty
payments."

I don’t want to allege PayPal a kind of bug bounty cost saving, but it’s
not the best idea when you're interested in motivated security
researchers...

Best regards,

Robert Kugler

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    7 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close