Sunday, May 6, 2012

eBay Security 2011 & 2012 Wide Security Vulnerabilities

eBay has different websites for different countries, As a result of a wrong implementation of some common feature in eBay websites, I've discovered a wide vulnerability that makes all of eBay's users vulnerable and at risk of being hacked!

2012 - XSS Wide Vulnerability 

The payload was injected into a script tag,
bypassing browser's anti-xss filters, and with the ability of full session hijacking and
hacking into eBay's users.

This Time eBay did a great job fixing this vulnerability.

2011 - Vulnerability in all eBay Stores
in 2011 I've Discovered a vulnerability which was quite simple to exploit since user input passed through character blacklist which until my report didn't sanitized input correctly.

2011 - Interesting Wrong Fix - 

Bypass: Single Parameter Splitting Injection XSS (alert isn't the goal!) 

After my report to the manager of eBay security team, eBay came up with a fix.
this fix contained a server side update to the character blacklist, this time they made it so it will replace the "plus(+)(%2B)" sign and occurrences of "Double Slash(//)" with nothing("") in addition to the filtering of "Brackets (<>)" ,Limiting the parameter's allowed lenght and other forbidden characters.

So, alert? prompt?? could you steal a cookie with alert? can you do it without generating a request to your domain?
A request to the attacker's web listener would normally(there are some techniques to evade that, this bypass comes to show how to deal with a normal real situation) require the use of double slash "plus" sign and long payload.  i.e ''+document.____  so it may seem like a partial but anti-session hijacking fix.
After working on this filtering I came up with a modified payload which could be used to bypass the filtering and generate a requests to an attacker's website with the user's sensitive web elements/objects! (including cookie!), then I made a video of full-session hijacking.
the reason I am posting about this issue is the interesting vector of my bypass.
Enjoy watching:

eBay did and still doing a great job as they take great care for security, I thank them for that.
I am pleased I could help eBay's security team making eBay's users and customers a bit more secure.

For all of my reports (2011-2012) and security assistance to eBay, eBay gave their special appreciation ;)

No comments:

Post a Comment