<img decoding="async" alt="HayaGeek" width="114" height="42" data-src="https://s3.amazonaws.com/cdn2.hayageek.com/wp-content/uploads/2023/10/19190738/logo-1.png" class="lazyload" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><noscript><img decoding="async" alt="HayaGeek" width="114" height="42" data-src="https://s3.amazonaws.com/cdn2.hayageek.com/wp-content/uploads/2023/10/19190738/logo-1.png" class="lazyload" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><noscript><img decoding="async" alt="HayaGeek" width="114" height="42" data-src="https://s3.amazonaws.com/cdn2.hayageek.com/wp-content/uploads/2023/10/19190738/logo-1.png" class="lazyload" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><noscript><img decoding="async" alt="HayaGeek" width="114" height="42" data-src="https://s3.amazonaws.com/cdn2.hayageek.com/wp-content/uploads/2023/10/19190738/logo-1.png" class="lazyload" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><noscript><img decoding="async" src="https://s3.amazonaws.com/cdn2.hayageek.com/wp-content/uploads/2023/10/19190738/logo-1.png" alt="HayaGeek" width="114" height="42" >

<img decoding="async" alt="HayaGeek" width="114" height="42" data-src="https://s3.amazonaws.com/cdn2.hayageek.com/wp-content/uploads/2023/10/19190738/logo-1.png" class="lazyload" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><noscript><img decoding="async" alt="HayaGeek" width="114" height="42" data-src="https://s3.amazonaws.com/cdn2.hayageek.com/wp-content/uploads/2023/10/19190738/logo-1.png" class="lazyload" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><noscript><img decoding="async" alt="HayaGeek" width="114" height="42" data-src="https://s3.amazonaws.com/cdn2.hayageek.com/wp-content/uploads/2023/10/19190738/logo-1.png" class="lazyload" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><noscript><img decoding="async" alt="HayaGeek" width="114" height="42" data-src="https://s3.amazonaws.com/cdn2.hayageek.com/wp-content/uploads/2023/10/19190738/logo-1.png" class="lazyload" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><noscript><img decoding="async" src="https://s3.amazonaws.com/cdn2.hayageek.com/wp-content/uploads/2023/10/19190738/logo-1.png" alt="HayaGeek" width="114" height="42" >

<img decoding="async" alt="HayaGeek" width="114" height="42" data-src="https://s3.amazonaws.com/cdn2.hayageek.com/wp-content/uploads/2023/10/19190738/logo-1.png" class="lazyload" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><noscript><img decoding="async" alt="HayaGeek" width="114" height="42" data-src="https://s3.amazonaws.com/cdn2.hayageek.com/wp-content/uploads/2023/10/19190738/logo-1.png" class="lazyload" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><noscript><img decoding="async" alt="HayaGeek" width="114" height="42" data-src="https://s3.amazonaws.com/cdn2.hayageek.com/wp-content/uploads/2023/10/19190738/logo-1.png" class="lazyload" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><noscript><img decoding="async" alt="HayaGeek" width="114" height="42" data-src="https://s3.amazonaws.com/cdn2.hayageek.com/wp-content/uploads/2023/10/19190738/logo-1.png" class="lazyload" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><noscript><img decoding="async" src="https://s3.amazonaws.com/cdn2.hayageek.com/wp-content/uploads/2023/10/19190738/logo-1.png" alt="HayaGeek" width="114" height="42" >

<img decoding="async" alt="HayaGeek" width="114" height="42" data-src="https://s3.amazonaws.com/cdn2.hayageek.com/wp-content/uploads/2023/10/19190738/logo-1.png" class="lazyload" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><noscript><img decoding="async" alt="HayaGeek" width="114" height="42" data-src="https://s3.amazonaws.com/cdn2.hayageek.com/wp-content/uploads/2023/10/19190738/logo-1.png" class="lazyload" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><noscript><img decoding="async" alt="HayaGeek" width="114" height="42" data-src="https://s3.amazonaws.com/cdn2.hayageek.com/wp-content/uploads/2023/10/19190738/logo-1.png" class="lazyload" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><noscript><img decoding="async" alt="HayaGeek" width="114" height="42" data-src="https://s3.amazonaws.com/cdn2.hayageek.com/wp-content/uploads/2023/10/19190738/logo-1.png" class="lazyload" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><noscript><img decoding="async" src="https://s3.amazonaws.com/cdn2.hayageek.com/wp-content/uploads/2023/10/19190738/logo-1.png" alt="HayaGeek" width="114" height="42" >

Home XSS Bug in Amazon Gift Card Creation

XSS Bug in Amazon Gift Card Creation

I recently found a XSS bug Amazon Gift card creation flow, I am going to explain how it works.

Below is the URL is for creating Amazon Gift card.
https://www.amazon.com/gc/quickpurchasewidget/home/nav?amount=50.00 &asin=B0145WHYKC&message=I+hope+you+enjoy+this+Amazon+gift+card! &deliveryDate=& pf_rd_p=2368252362&pf_rd_s=merchandised-search-left-3& pf_rd_t=101&pf_rd_i=2238192011&pf_rd_m=ATVPDKIKX0DER& pf_rd_r=KH42V4DQGYMBH5502A60&url=XXXXXXXXXXXXXXXX

url parameter is the base64 encoded URL. Once the gift card is created/cancelled, then the page is is redirected to the url
To open the link : Click here

I gave amF2YXNjcmlwdDphbGVydChkb2N1bWVudC5jb29raWUp as url value, which is base64 encoded of javascript:alert(document.cookie)

Screen shots:

So we can pass any javascript code (base4 encoded) as url parameter.

I reported this bug to amazon on 11th Feb 2016, and it was fixed on 16th Feb 2016. Unfortunately, Amazon does not give any bounty for security vulnerabilities. 🙁

Mail confirmation from amazon:

By

Ravishanker Kusuma

Updated on March 11, 2016

Security