XSS in store.adobe.com

It is an old self reflected XSS (April 6th, 2013), but it was a nice hunt for the beginning of my career.

Steps to reproduce:

1. Navigate to http://store1.adobe.com

2. Choose any product and click its link (for example: Adobe Acrobat XI Pro

3. Choose any option from the dropdown menu and click “Add to Cart”. Now data is being send via POST request. Vulnerable variable is “store”, which has a default value of “OLS-US”. You can inject any JavaScript code into it, for example:


This will show user’s cookies in an alert box.

Additionally this error reveals internal IP address:

This got me listed on Adobe Acknowledgements page.


[April 6th 2013] - bug was reported
[April 22nd 2013] - Adobe contacted me
[July 30 2013] - bug was fixed

Leave a Reply

Your email address will not be published. Required fields are marked *