RE: Portcullis Security Advisory 05-012 Ebay Session Riding Vulnerability
This is a very clever attack method, and indeed an issue that should be
taken seriously. Also, as an eBay user it is very disappointing to see that
eBay did not respond to you guys, but this does not seem to be out of the
norm for them :(
Last year I found a way to circumvent some of the eBay restrictions on code,
and it can be used to achieve the same results as outlined in this mailing
(session riding vuln). Typically eBay will filter script tags and the like
to prevent malicious code from being included in auctions, and the about me
page however we can manipulate the document object model to include nasty
code, and do some bad things. Here is a sloppy POC I literally threw
together in a few minutes, but it works flawlessly with firefox browser.
I have written a paper on the details of this issue, and simply refer to it
as "Document Object Model Hijacking" because we can turn trusted elements on
the page into elements we control by influencing the DOM.
I have no intentions of causing anyone any harm, so I have not bothered to
go VERY in depth with this issue in regards to eBay, but the potential for
harm is definitely there. Yes, I have tried over and over to contact eBay
and have even seeked help from others in the security community to contact
them regarding this issue to no avail. I hope after seeing your guys post,
and my follow up to it that eBay will act accordingly and resolve these two
security issues as it puts their customers at risk.
From: Paul J Docherty [mailto:PJD@xxxxxxxxxxxxxxxxxxxxxxx]
Sent: Tuesday, April 19, 2005 1:46 AM
To: bugs; Bugtraq; secunia
Subject: Portcullis Security Advisory 05-012 Ebay Session Riding
Portcullis Security Advisory
Original Bugtraq posting 08 April 2005, Resend 19 April 2005.
This vulnerability affects EBay the auction websites.
Session Riding/Cross Site Request Forgery Attack.
Vulnerability discovery and development:
This issue was conceived by James Fisher having read the paper "Session
Riding" which was posted to the web application security mailing list
15th December 2005. The issue was further researched and developed to
the point of Proof of Concept by Dave Armstrong with additional input
from Martin Murfitt.
Successful exploitation of this issue allows malicious users to list an
item for auction in such a way that any subsequent user who views the
item automatically places a bid for that item with the value being bid
under the control of the malicious user. This does however require that
the user who views the item has logged into eBay.
This issue affects the eBay auction web sites.
All that is required to expose this issue is placing an item listing for
auction on eBay and adding a link to an off-site image. This link in
reality would point to a CGI script that instead of returning an image
returns a (HTTP 302) redirect response, referring the user back to the
eBay URL to automatically submit a bid.
An example of a typical URL:
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.9.17 - Release Date: 4/19/2005