I recently found a XSS bug Amazon Gift card creation flow, I am going to explain how it works.
Below is the URL is for creating Amazon Gift card.
https://www.amazon.com/gc/quickpurchasewidget/home/nav?amount=50.00
&asin=B0145WHYKC&message=I+hope+you+enjoy+this+Amazon+gift+card!
&deliveryDate=&
pf_rd_p=2368252362&pf_rd_s=merchandised-search-left-3&
pf_rd_t=101&pf_rd_i=2238192011&pf_rd_m=ATVPDKIKX0DER&
pf_rd_r=KH42V4DQGYMBH5502A60&url=XXXXXXXXXXXXXXXX
url parameter is the base64 encoded URL. Once the gift card is created/cancelled, then the page is is redirected to the url
To open the link : Click here
I gave amF2Y
Screen shots:
So we can pass any javascript code (base4 encoded) as url parameter.
I reported this bug to amazon on 11th Feb 2016, and it was fixed on 16th Feb 2016. Unfortunately, Amazon does not give any bounty for security vulnerabilities. :(
Mail confirmation from amazon:
