XSS Bug in Amazon Gift Card Creation

I recently found a XSS bug Amazon Gift card creation flow, I am going to explain how it works.

Below is the URL is for creating Amazon Gift card.

https://www.amazon.com/gc/quickpurchasewidget/home/nav?amount=50.00

&asin=B0145WHYKC&message=I+hope+you+enjoy+this+Amazon+gift+card!
&deliveryDate=&
pf_rd_p=2368252362&pf_rd_s=merchandised-search-left-3&
pf_rd_t=101&pf_rd_i=2238192011&pf_rd_m=ATVPDKIKX0DER&
pf_rd_r=KH42V4DQGYMBH5502A60&url=XXXXXXXXXXXXXXXX

url parameter is the base64 encoded URL. Once the gift card is created/cancelled, then the page is is redirected to the  url
To open the link : Click here

I gave amF2YXNjcmlwdDphbGVydChkb2N1bWVudC5jb29raWUp as url value, which is  base64 encoded  of javascript:alert(document.cookie)

 

Screen shots:

XSS Bug in Amazon Gift Card ceation XSS Bug in Amazon Gift Card ceation

So we can pass any javascript code (base4 encoded) as url parameter.

 

I reported this bug to amazon on 11th Feb 2016, and it was fixed on 16th Feb 2016.  Unfortunately, Amazon does not give any bounty for security vulnerabilities.  :(

 

Mail confirmation from amazon:

XSS BUG amazon Gift card creation Fixed


I am a Developer. My motto: "Language is not a barrier" http://hayageek.com
All posts by Ravishanker Kusuma