Tuesday, April 28, 2015

Stored XSS in ebay messages filenames

I have been quite ethical hacker/pentester so far and have disclosed everything always responsibly (with or without bug bounty programs), so it's actually quite fun for me to do a first full disclosure (of sort).

Everything started more then year back, when I was looking around in many web applications and reporting everything that I found. Things were good, some of the times there was monetary benefit, sometimes I got some free stuff and sometimes I got to the "hall of fame" or simple "thank you" - overall reaction was nothing but great. Only company that's behaviour was bit different, was the ebay.
I discovered the vulnerability where attacker can do XSS attack over the ebay-s internal messages and since the session cookies in ebay are not HTTPonly, it was a quite high issue for targeted attacking.
When I reported this, I got the basic email back, about how much they value the security and so on. They asked not to disclose the issue to public (normal request) but then also added that they will not give me any information about when or how the issue will be fixed. I thought that this is kind of strange but to hell with that - as long as they fix it in normal time, I don't care.

3 months passed, no information from them and out of curiosity I checked the issue again. It was still there. Because the issue was simple "missing encoding" (usually quite quick fix), I contacted them and only response that I got was that they will not give any information about the fix time schedule.
Exactly same status was after 5 and 7 months (vulnerability still there and response to my email was same)

After that I pretty much forgot about it. I had much to do, so ebay was the last thing I cared about. Up until yesterday when during the skype chat, someone mentione Yahoo bug bounty case (https://grahamcluley.com/2013/09/serious-yahoo-bug/) and I remembered the ebay again.

So today I logged into the ebay and tried to replicate the issue (more then year later!) - it was still there. So it must not be as dangerous as I thought and no harm can happen from making it public

1. Start by sending message to someone other (pick the "This is not about an item")

2. Select "attach photos" functionality and upload the picture (my upload was monkey.jpg) - catch the request itself with burp (or some other proxy)

3. Modify the GET parameter named "picfile" and header named "X-File-Name" to contain your payload(mine was </script><script>alert('XSS')</script>)

4. If everything went well, you get something like this and you can submit the request (after filling captcha and other stuff) - catch request again with proxy

5. I'm not sure, that this is "MUST BE", but I modified file name also in this request

RESULT: When target opens the message, the result he/she gets is like this

QUICK ANALYSIS: Where exactly the payload is inserted
The filename is used inside message html in 2 places. First is the place it's displayed (encoded correctly).

The second is inside the javascript - there is no encoding used

Impact of this vulnerability (my opinion)
There are many things that make this issue dangerous. This is kind of short list about some of them:
  • You can create new users very easily to make these attacks (no email verification)
  • Target even gets a email about your message
  • Only 3 cookies are HTTPonly in ebay, none of them are needed for session hijacking
  • There seems no limiting factors for XSS payload (there might be length limits but this is easy to bypass)
  • Combining in with other stuff like http://www.securityfocus.com/archive/1/533361 (that is also still working in ebay!)


  1. About http://www.securityfocus.com/archive/1/533361 - "out of scope" doesn't mean what you think it does :)

  2. No reward but no threats also :)
    Another similar case someone linked to me:

  3. There is now bit more cookies with HTTPonly flag and seems that the session hijacking is not that easy anymore

  4. thanks for sharing this offer with us. Amazon is the leading website for all types of home appliances and coupons are the way to buy these products at discounted prices.eBay coupon

  5. Hello, i think that i saw you visited my site thus i came to �return the favor�.I�m trying to find things to enhance my site!I suppose its ok to use some of your ideas!! hop over to this site

  6. You must participate in a contest for among the best blogs on the web. I will recommend this website! here

  7. This is the best blog Ive ever seen in my life! I really appreciate you taking the time out of your busy day to share your this with everyone. this

  8. Keep in touch whilst functioning from your own home office with out all of the hassle of purchasing or procurment costly office equipment. Debtors are allowed to apply with their a bad credit score background whenever. more