Reflected XSS on

This is newp_th. This issue is very similar to my previous report on Reflected XSS on Stack Overflow.

It was much easier than before, Just append a malicious payload “><script/k/>alert(113)</script/k/> to parameter.

Few weeks after reporting this issue to amazon security team, I got a reply that issue has been resolved and to verify it again. On further testing I could easily bypass the fix using payload “-confirm(1)-”.

Thanks for reading. Hope will get time to write some more posts.


29-May-2018: Bug reported

29-May-2018: Bug confirmed by security team

25-June-2018: Bug Fixed

27-June-2018: Bypassed Fix

12-Dec-2018: Bug Resolved

secure your computer 😊

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store