PayPal Inc Bug Bounty #113 - CS Cross Site Vulnerability

Type vulnerlab
Reporter Milan A Solanki - ( []
Modified 2015-04-18T00:00:00


A non persistent cross site scripting web vulnerability has been discovered in the official PayPal Inc online service web-application. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions data by client-side manipulated cross site requests.

The vulnerability is located in the q values of the merchant search module. Remote attackers are able to inject own script codes to the vulnerable GET method request of the merchant search module. The attack vector of the vulnerability is located on the client-side of the paypal online service web-application. The request method to inject the script code on client-side is GET. The injection point of the issue is the vulnerable q value in the search engine and the script code execution point is located in the results output context page.

The security risk of the non-persistent input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.4. Exploitation of the client-side cross site scripting web vulnerability requires low user interaction (click) and no privileged application user account. Successful exploitation results in client-side account theft by hijacking, client-side phishing, client-side external redirects and non-persistent manipulation of affected or connected service modules.

Request Method(s): [+] GET

Vulnerable Service(s): [+] PayPal Inc (

Vulnerable Module(s): [+] Merchant Search

Vulnerable Parameter(s): [+] q

Affected Section(s): [+] Merchant Search Results