神刀安全网

XSS Bug in Amazon Gift Card Creation

I recently found a XSS bug Amazon Gift card creation flow, I am going to explain how it works.

Below is the URL is for creating Amazon Gift card.

https://www.amazon.com/gc/quickpurchasewidget/home/nav?amount=50.00

&asin=B0145WHYKC&message=I+hope+you+enjoy+this+Amazon+gift+card!

&deliveryDate=&

pf_rd_p=2368252362&pf_rd_s=merchandised-search-left-3&

pf_rd_t=101&pf_rd_i=2238192011&pf_rd_m=ATVPDKIKX0DER&

pf_rd_r=KH42V4DQGYMBH5502A60& url=XXXXXXXXXXXXXXXX

urlparameter is the base64 encoded URL. Once the gift card is created/cancelled, then the page is is redirected to the  url

To open the link : Click here

I gave amF2YXNjcmlwdDphbGVydChkb2N1bWVudC5jb29raWUp as url value, which is  base64 encoded  of javascript:alert(document.cookie)

Screen shots:

XSS Bug in Amazon Gift Card Creation XSS Bug in Amazon Gift Card Creation

So we can pass any javascript code (base4 encoded) as url parameter.

I reported this bug to amazon on 11th Feb 2016, and it was fixed on 16th Feb 2016.  Unfortunately, Amazon does not give any bounty for security vulnerabilities.  :(

Mail confirmation from amazon:

XSS Bug in Amazon Gift Card Creation

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » XSS Bug in Amazon Gift Card Creation

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
分享按钮