

Stored XSS Vulnerability in Amazon (or How to hack Amazon with a book) - borski
http://drwetter.eu/amazon/

======
jerf
Just replicated the Stallown3d!1 one, it's still there.

Actually a useful link to have; I've had some difficulty convincing people in
the past that this sort of injection is a big deal and that's a convenient,
harmless way to prove the point.

~~~
pbhjpbhj
Doesn't that mean you only need to control <http://ha.ckers.org/s.js> (or
similar) rather than write a book?

------
schrototo
This has to be the funniest XSS hack of all time.

------
iwwr
The Bobby Tables of literature

------
infinity
This is fantastic! Great find. It reminds me a little of the idea of pen and
paper attacks, like this <http://news.ycombinator.com/item?id=1721494>

But writing a book as an attack vector is certainly epic.

------
kingofspain
Couple of $$, Createspace. Bait-y title. Merry xmas!

------
Mithrandir
Couldn't do it w/o logging in, until I copied the url from the author's
picture.

[http://www.amazon.com/XSS-Attacks-Scripting-Exploits-
Defense...](http://www.amazon.com/XSS-Attacks-Scripting-Exploits-
Defense/dp/1597491543/ref=sr_1_1?ie=UTF8&qid=1292506849&sr=8-1)

------
code_duck
Now THAT would be an elaborate hack to pull off. Obviously Amazon never
thought of that! Between this and the magic goggles, this week is turning out
to be so interesting.

------
Groxx
That is an _epic_ XSS hack. I think they won.

------
FluidDjango
Possibly fixed?

I'm not seeing this vulnerability now via Mac FireFox 3.6.12 or Safari.

~~~
infinity
It seems so, I'm not seeing this with Internet Explorer. The Book Preview does
not work at all in Opera :-(

------
Mithrandir
ha.ckers is down. :(

