Posted by Alexander Korznikov on Feb 18

Hello all,

Description: Persistent DOM based Cross Site Scripting on ebay.com domain.
Disclosed to Ebay: January 2015
Fixed: February 2016
Vulnerability location: Every listing
Who are able to create: Sellers

Same origin policy bypass via postMessage

Write-up:
http://www.korznikov.com/2016/02/persistent-stored-dom-xss-on-ebaycom.html

Proof of Concept:

this code is inserted to the listing to pop-up alert on ebay.com domain.

<script>…