jscrew

1 article
sort: new top best
clear filter
bug-bounty490 google398 microsoft329 xss293 facebook288 rce199 exploit191 apple187 malware173 cve127 account-takeover113 bragging-post101 csrf86 privilege-escalation85 phishing81 browser80 supply-chain67 writeup66 dos66 stored-xss64 react64 authentication-bypass62 reflected-xss57 cloudflare56 node55 reverse-engineering53 ssrf51 aws51 docker50 input-validation48 access-control47 cross-site-scripting46 oauth46 smart-contract45 web345 ethereum43 defi42 sql-injection42 lfi41 web-security40 info-disclosure40 cloud39 web-application39 race-condition38 pentest37 ctf36 idor35 burp-suite35 vulnerability-disclosure34 html-injection33
0 8/10
Reflected XSS on amazon.com
vulnerability

A reflected XSS vulnerability on Amazon's masclient endpoint (/gp/masclient/dp/) allows attackers to inject arbitrary HTML/JavaScript by exploiting insufficient input validation and capitalization of product IDs. The author demonstrates cookie theft and session hijacking via SVG onload attributes with HTML entity encoding to bypass browser XSS protections.

reflected-xss xss cookie-theft html-injection amazon android-app apk-decompilation character-encoding-bypass xss-auditor-evasion svg-onload html-entity-encoding url-encoding jscrew jjencode octal-encoding phishing session-hijacking
amazon.com Jonathan Bouman Scroll.am Vue.js AWS Codestar AWS Lambda Chrome XSS Auditor Firefox jscrew.it jjencode
medium.com · devanshbatham/Awesome-Bugbounty-Writeups · 20 hours ago · details