Members Login
    Remember Me  
Post Info TOPIC: XSS allowed on eBay members pages

Top Poster

Status: Offline
Posts: 3757
XSS allowed on eBay members pages

XSS allowed on eBay members pages

Hey everyone. Today I would like to disclose an XSS vulnerability present on which the security engineering team at do not classify as a security issue.

If you wish to test the PoC, you must have an eBay account.

This is the logic behind the vulnerability:

(1) eBay allows for users to create their own "member" pages which can contain HTML
(2) When HTML with JavaScript such as "<script>alert(document.cookie)</script>" is submitted they actively prevent it from being used on the member page. See gif below:


(full report with visual documentation at link   ^ )


The comedy here is:


Thank you again for your report.


We are closing this ticket since this is one of the functions where we allow users submit active content to customize their 'about me' pages as long as there isn't any violation against the ( This is mentioned in the about me policy:


Our discovery team continually monitors user accounts and if there is any violation against the eBay policy, the user account will be suspended.


We welcome further submissions, and if they are true vulnerabilities to our eBay community we will gladly add your name to the site once the vulnerability is resolved.

We are closing this case without further action.


Best Regards,

eBay Security Research




Exposing the sleazery of ebaY and PayPal


Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Tweet this page Post to Digg Post to

Create your own FREE Forum
Report Abuse
Powered by ActiveBoard