So, It’s just old bug who I have been reported around 2018. I’ll share what I found on Tokopedia. Just in case you need some article to go to sleep. But it’ll just short description and PoC Here it is :
Stored XSS On Complain Product (Keterangan Bukti Field)
This vulnerable perform on feature complain product, When buyer not satisfied with the stuff who has been buy by buyer. Buyer can complain with upload some Image. And the vulnerability is on Description image field.
PoC :
- Go to complain menu
- Upload some image
- Input Payload on description of image ( <img src=x onerror=alert(document.domain)> )
- Payload will be execute when user navigate to the resolution menu.
Video :
Stored XSS On Location Shop (m.tokopedia.com )
This vulnerable on Location Shop Parameter at https://m.tokopedia.com/ . So, this bug is just set the location shop to payload. And when someone navigate to the Shop detail. It’ll pop up the XSS.
PoC :
- Open The mobile apps Tokopedia
- Edit the location of shop to XSS payload ( <img src=x onerror=alert(document.domain)> )
- Open the location via browser
Video :
Stored XSS via AngularJS Injection On Etalase Name
Vulnerability exist because Tokopedia install the AngularJs old version and not filtering the illegal character very well. So, I just Insert the payload of AngularJs Injection to Etalasane Name and XSS will be fired up.
PoC :
- Go To Add product
- Set the Etalase Name to AngularJs Payload ( {{‘a’.constructor.prototype.charAt=[].join;$eval(‘x=1} } };alert(document.domain)//’);}} )
- Save, And Open the product
Video :
Blind XSS on CS System ( Tokocash )
Tokopedia have some CS system, use the salesforce application. And when having some discussion between Tokopedia & Salesforce, the root cause is on the Tokopedia Custom Code.
PoC :
- Login Tokocash.com
- REquest new ticket with payload of XSS Hunter
- Wait for execute payload on XSSHunter Dashboard.
Actually I have found more Stored XSS, but sadly that’s mark as Duplicate. I just fresh Bug who has been marked as valid only.
Thanks! Get in touch with me on Twitter : Apapedulimu