Amazon Bypass Open Redirect

Honc
1 min readNov 19, 2017

--

When I first tried to find a loophole in Amazon, I found this station, URL A parameter caught my attention:

https://primenow.amazon.com/onboard?sourceUrl=%2F

From this variable name I can daydream this is the page after the jump

I started building a proof-of-concept for this.

I found that if you simply enter the URL (for example, ?sourceUrl=facebook.com) failed

Doesn’t mean it’s not going to work out, I’ll try. Use the “//” symbol to bypass

But using //symbol to bypass > ?sourceUrl=//facebook.com Success

Finally “ // “ bypassing, the final POC is

Poc Payload:

https://primenow.amazon.com/onboard?sourceUrl=//facebook.com
https://primenow.amazon.com/onboard?sourceUrl= //Your_Website.com

This is my private video demonstration Poc:

Timeline

  • 2017/02/01 12:32 Provide vulnerability details to Amazon Security Team
  • 2017/02/01 02:44 Receive automatic response
  • 2017/02/02 08:04 Receive response from Matt that inspection is in progress
  • 2017/03/17 1:26 Received the Amazon Security Team (Matt) reply: Yes, it fixes

--

--