Bug HTML Injection On Tokopedia !

TOKOPEDIA

Hello Everyone ! Here’s is my write-up BUG “HTML INJECTION” On Tokopedia

What is HTML Injection?

Hypertext Markup Language (HTML) injection is a technique used to take advantage of non-validated input to modify a web page presented by a web application to its users. Attackers take advantage of the fact that the content of a web page is often related to a previous interaction with users.

Sc : https://www.imperva.com/learn/application-security/html-injection/

I’m Input Payload Html Injection Via JSON Voucher Tokopedia

Proof of Concept :

  1. Login Account in Application Tokopedia
  2. Open Chat , And Select Victim
  3. Click “+” And Select Voucher
  4. Click Random Voucher, And Open Burp Suite
Voucher

5. Send Voucher And Change Request With Payload HTML Injection

Request Voucher Input Payload HTML Injection
HTML Injection

Remediation:

Your script should filter metacharacters from user input.

Timeline :

Report BUG : 24 May 2020

Tokopedia Respon Bug Valid (MEDIUM) : 26 May 2020

Bug Fixed : 03 June 2020

Tokopedia Send Reward ($xxx) : 12 July 2020

Thanks for reading . Happy Hunting .

{:*}