XSS On Ebay.com

I am still Fugitif and now I want to show you how can work one vulnerable XSS Alert Bug on Ebay.com.
To be more precise our link now is http://togo.ebay.com

Ok..My XSS alert can be found here http://togo.ebay.com/affiliates/create/





I go to select one version and I crush above





and immediately later click "I WANT THIS ONE"


In the square where asks FOR "ID" I put some string like this

Code:

"><script>alert(document.cookie)</script>

and click "Browse"





Now we cannot do anything else other than to use the search with our magic string

Code:

 "><script>alert(document.cookie)</script>

My Result ? !






That's all .... have fun ppl


/Fugitif

 

And what's the exact use of all these operations?

 

Well passive XSS, but the JavaScript code is in the POST parameters, so the victim must enter the needed code by itself?
Think it's useless...

 

nice dude

 

to Fugitif:
it is does not work already...

 

works for me

 

hmmmm. I thought ebay have safe protect

 

really?!
what browser did u use?

 

U can try with Mozilla Firefox some string like this one:

Code:

http://togo.ebay.com/app/auctionfinder.php?query=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3EE&page&seller&category=&TZ=-120&block=list

 

mozilla firefox

 

What do you intend to do with this passive XSS? I don't say it's useless, but hey, be realistic people, you can hack someone very hard with a passive XSS. Correct me if I am wrong =)

 

You're right but there's one useful thing called SocialEngineering =)

 

that is only a f****** small and simple example that also one of the greatest sites can be vulnerable.

I want to say ... safety doesn't exist .

 

Fugitif, you are damn right! And what goes for the Social Engineering part, imho, I think it isn't a pure 100% hack, because you get your victim to tell you a lot about her. I don't argue, you must have a strong logic, but I am more fond of the technical side of hacking. But, hey, that's just me =)