The Amazon Wishlist was vulnerable to both CSRF and stored XSS. I discovered these vulnerabilities separately, but I'd like to describe both of them in one blog post here. Even though neither of these vulnerabilities would have had a big impact by themselves, if combined, they could have become a serious problem. There was no CSRF-token validation for creating a new wishlist. Because of this, an a