Well I had to put this page up instead of simply showing you one of the hundreds of page that have been hijacked by script injection on eBay and the reason I can not show you the real thing is because eBay dirty tricks department is trying to put a gag on eBuster whilst hiding behind DCMA copyright notice issued to my host providers and now in the latest development, apparently eBay is on to the FBI about eBuster and if eBay finds any of the above slanderous then they are welcome to try and sue me.

So how should I cover the subject of script injection without being accused of copyright infringement (yeah some joke coming from eBay) or jumping up the FBI’s most wanted list by saying too much.

Script injection in it’s simplest form is typing special code into a input box that excepts .html input and the code looks somthing like this.

<wscript=’run-now’>
ShowMessage[‘Hello world’]
</wscritp>

Yes not much damage done but amongst other serious security risks script injection can totally overwrite the web page you have just downloaded from eBay so that nice advert for a car suddenly becomes a page that is putting cookies on your computer, tracking your moves and as soon as you click a button you are taken off to a fake ebay site or a fake login page so lets look at some of the code injected into eBay pages with a slight Modification.

<!--Begin Descriptioin-->
<wscript=’run-now’>
Browser.Write('\u003C\u0073\u0074\u0079\u006C\..........
</wscritp>
<!--End Descriptioin-->

This is a bit more sophisticated and uses hexadecimal code which would take me all day to decode just to remove the eBay trade logo from the top of the page so lets see how simple it is to protect against script injection !

Protection comes free in ASP.NET unless it is turned off by using ValidateRequest ="false" in the page header and any programming language can make a simple test in two lines of code.

If(.html.toupper().indexOf(“<WSCRIPT”)>-1)
              throw new exception(“Page is infected”);

It’s really is quite simple and most first year technology students know about the risk so is it me being pedantic by asking how come eBay didn’t seem to know or even care but they did however finally manage to fix the problem in the section of eBay I was monitoring at the time but this does not mean the whole site is now safe or that these rouge pages have not been saved to disk by eBay members.

It’s a good job eBuster is not that slow else it would take me years to move this web-site each time eBay slaps a gag order on me but I don’t think I am breaking any rules by showing two screen shots of the page using different browsers after I tweak the legendary eBay logo. The real item number on this one was 110327410336 and not 714347917014
It’s a good try but it goes wrong on the left hand side in Internet Explorer if you resize the browser but it’s perfect in FireFox.

Since we are on the subject of code maybe eBay would like to make a few comments about Web Site Accessibility or is this another UK law eBay has been allowed to overlook and whilst I admit this site is far from perfect as I needed to move it fast at least it does not have pages with two sets of <.html></.html> in the same page which I will post a link to when I remember where I have seen it.

The bottom line is eBay have known about this for a considerable amount of time and I am clueless about the motivation behind this and find it unsurprising that eBay is being hacked on a regular basis and this may explain some of the corrupt member names that are popping up on a regular basis but alas eBay has failed as yet to provide an explanation.