Amazon.com Stored XSS via Book Metadata

简介: Amazon's Kindle Library, also known as "Manage Your Content and Devices" and "Manage your Kind...
Amazon's Kindle Library , also known as "Manage Your Content and Devices" and "Manage your Kindle",  is, at the time of writing, vulnerable to Stored Cross-Site Scripting (XSS) attacks . Malicious code can be injected via e-book metadata; for example, an e-book's title.

Once an attacker manages to have an e-book (file, document, ...) with a title like
<script src="https://www.example.org/script.js"></script>
added to the victim's library, the code will be executed as soon as the victim opens the Kindle Library web page. As a result, Amazon account cookies can be accessed by and transferred to the attacker and the victim's Amazon account can be compromised.


  

Who is affected?


Basically, everyone who uses Amazon's Kindle Library to store e-books or to deliver them to a Kindle.

However, users most likely to fall victim to this vulnerability are those who obtain e-books from untrustworthy sources (read: pirated e-books) and then use Amazon's "Send to Kindle" service to have them delivered to their Kindle. From the supplier's point of view, vulnerabilities like this present an opportunity to gain access to active Amazon accounts.

Users who stick to e-books sold and delivered by Amazon should be safe, unless there's another oversight on Amazon's part, such as the one described here: < http://drwetter.eu/amazon/ >

Proof of Concept & Demonstration


A Proof of Concept (PoC) file can be downloaded from < https://fl7.de/pub/2014/amazon-mobixss/pub.mobi >; its title metadata contains the classic "<script>alert('xss')</script>" payload. Simply send it to your "Send to Kindle" email address and browse to your Kindle Library page at < https://www.amazon.com/mn/dcw/myx.html#/home/content/pdocs/dateDsc/ >. Depending on whether the file was already delivered to your Kindle or not, you may have to select "Pending Deliveries" from the drop-down box below the "Your Content" tab.

And this is what it looks like:


You can remove the file from your library as soon as it has been delivered to your Kindle, and while doing so you will notice about half a dozen additional alert boxes. 

History, Response


When I first reported this vulnerability to Amazon in November 2013,  my initial Proof of Concept, a MOBI e-book with a title similar to the one mentioned above, contained code to collect cookies and send them to me. Interestingly, Amazon's Information Security team continued to use this PoC on internal preproduction systems for months after the vulnerability had been fixed. This made it even more surprising that, when rolling out a new version of the  "Manage your Kindle" web application, Amazon reintroduced this very vulnerability.

Amazon chose not to respond to my subsequent email detailing the issue, and two months later, the vulnerability remains unfixed.

Not Just Amazon


You may be thinking that XSS-inducing metadata in e-books doesn't affect you simply because you are organizing your e-books not through a web interface, but with Calibre <http://calibre-ebook.com/>. Well, have a look at this:

 

 

Calibre's developer, Kovid Goyal, acknowledged the problem less than four hours after I had reported it, and a new release - version 1.80 - including a bugfix was made available the following day. This is quite an impressive response (time), even more so when you consider that Calibre is maintained by an individual who make this software available at no cost. If you are a frequent Calibre user, consider making a donation!

  

Timeline


2013-10-24 Vulnerability discovered.
2013-11-15 Vulnerability reported to security@amazon.com.
2013-11-19 Amazon.com Information Security assigns case number.
2013-12-06 Reported vulnerability fixed.
2014-??-?? Vulnerability reintroduced by "Manage Your Kindle" web page redesign.
2014-07-09 Vulnerability reported to security@amazon.com.
2014-09-12 (Still no response from Amazon. Public disclosure.)
目录
相关文章
|
JavaScript 前端开发 Ruby
Easy DOM-based XSS detection via Regexes
If you are interested in finding DOM-based XSS, you must have knowledge of http://code.
864 0
|
1月前
|
JavaScript 安全 前端开发
同源策略如何防止 XSS 攻击?
【10月更文挑战第31天】同源策略通过对 DOM 访问、Cookie 访问、脚本执行环境和跨源网络请求等多方面的严格限制,构建了一道坚实的安全防线,有效地防止了 XSS 攻击,保护了用户在网络浏览过程中的数据安全和隐私。
101 49
|
5月前
|
存储 安全 JavaScript
手摸手带你进行XSS攻击与防御
当谈到网络安全和信息安全时,跨站脚本攻击(XSS)是一个不可忽视的威胁。现在大家使用邮箱进行用户认证比较多,如果黑客利用XSS攻陷了用户的邮箱,拿到了cookie那么就可以冒充你进行收发邮件,那真就太可怕了,通过邮箱验证进行其他各种网站的登录与高危操作。 那么今天,本文将带大家深入了解XSS攻击与对应的防御措施。
|
1月前
|
安全 前端开发 Java
Web安全进阶:XSS与CSRF攻击防御策略深度解析
【10月更文挑战第26天】Web安全是现代软件开发的重要领域,本文深入探讨了XSS和CSRF两种常见攻击的原理及防御策略。针对XSS,介绍了输入验证与转义、使用CSP、WAF、HTTP-only Cookie和代码审查等方法。对于CSRF,提出了启用CSRF保护、设置CSRF Token、使用HTTPS、二次验证和用户教育等措施。通过这些策略,开发者可以构建更安全的Web应用。
95 4
|
1月前
|
安全 Go PHP
Web安全进阶:XSS与CSRF攻击防御策略深度解析
【10月更文挑战第27天】本文深入解析了Web安全中的XSS和CSRF攻击防御策略。针对XSS,介绍了输入验证与净化、内容安全策略(CSP)和HTTP头部安全配置;针对CSRF,提出了使用CSRF令牌、验证HTTP请求头、限制同源策略和双重提交Cookie等方法,帮助开发者有效保护网站和用户数据安全。
76 2
|
1月前
|
存储 安全 Go
Web安全基础:防范XSS与CSRF攻击的方法
【10月更文挑战第25天】Web安全是互联网应用开发中的重要环节。本文通过具体案例分析了跨站脚本攻击(XSS)和跨站请求伪造(CSRF)的原理及防范方法,包括服务器端数据过滤、使用Content Security Policy (CSP)、添加CSRF令牌等措施,帮助开发者构建更安全的Web应用。
99 3
|
1月前
|
SQL 存储 安全
什么是XSS攻击?什么是SQL注入攻击?什么是CSRF攻击?
理解并防范XSS、SQL注入和CSRF攻击是Web应用安全的基础。通过采用严格的输入验证、使用安全编码实践以及实现适当的身份验证和授权机制,可以有效防止这些常见的Web攻击,保障应用程序和用户的数据安全。
42 0
|
3月前
|
存储 安全 JavaScript
XSS跨站脚本攻击详解(包括攻击方式和防御方式)
这篇文章详细解释了XSS跨站脚本攻击的概念、原理、特点、类型,并提供了攻击方式和防御方法。
583 1
|
2月前
|
存储 JavaScript 安全