Back in July 2015 I reported an XSS issue to PayPal, it was a DOM XSS on “checkout.paypal.com”
It’s taken several months but with the issue now fixed I wanted to publish this post.
return this._localhostRe.test(url) || this._braintreeDomainRe.test(url);
As you can see there are two validation methods, let’s take a look
The localhost validation regex is allowing any domain that starts with “http://localhost” (I guess the developers used it to test things on a local environment). So… I just need to create a subdomain named localhost on any domain and PayPal will happily load my script.
The exploit worked only on browsers that support mixed content due to the fact we can only load the script on http in order to pass the validation.
To exploit you’d just use the following
Hope you guys found this post interesting.