|
XSS On Ebay.com
I am still Fugitif and now I want to show you how can work one vulnerable XSS Alert Bug on Ebay.com.
To be more precise our link now is http://togo.ebay.com Ok..My XSS alert can be found here http://togo.ebay.com/affiliates/create/ http://funkyimg.com/u/20862ebay_1JPG.jpg I go to select one version and I crush above http://funkyimg.com/u/89922ebay_2JPG.jpg and immediately later click "I WANT THIS ONE" In the square where asks FOR "ID" I put some string like this Код:
"><script>alert(document.cookie)</script>http://funkyimg.com/u/82647ebay_3JPG.jpg and click "Browse" http://funkyimg.com/u/36366ebay_4JPG.jpg Now we cannot do anything else other than to use the search with our magic string Код:
"><script>alert(document.cookie)</script>My Result ? ! http://funkyimg.com/u/95003ebay_5JPG.jpg That's all .... have fun ppl :D /Fugitif |
And what's the exact use of all these operations?
|
Well passive XSS, but the JavaScript code is in the POST parameters, so the victim must enter the needed code by itself?
Think it's useless... |
nice dude :)
|
to Fugitif:
it is does not work already... |
Цитата:
|
hmmmm. I thought ebay have safe protect :)
|
Цитата:
what browser did u use? |
Цитата:
U can try with Mozilla Firefox some string like this one: Код:
http://togo.ebay.com/app/auctionfinder.php?query=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3EE&page&seller&category=&TZ=-120&block=list |
Цитата:
|
What do you intend to do with this passive XSS? I don't say it's useless, but hey, be realistic people, you can hack someone very hard with a passive XSS. Correct me if I am wrong =)
|
You're right but there's one useful thing called SocialEngineering =)
|
that is only a f****** small and simple example that also one of the greatest sites can be vulnerable.
I want to say ... safety doesn't exist . |
Цитата:
|
| Время: 23:40 |