Hello Everyone ! Here’s is my write-up BUG “HTML INJECTION” On Tokopedia
What is HTML Injection?
Hypertext Markup Language (HTML) injection is a technique used to take advantage of non-validated input to modify a web page presented by a web application to its users. Attackers take advantage of the fact that the content of a web page is often related to a previous interaction with users.
Sc : https://www.imperva.com/learn/application-security/html-injection/
I’m Input Payload Html Injection Via JSON Voucher Tokopedia
Proof of Concept :
- Login Account in Application Tokopedia
- Open Chat , And Select Victim
- Click “+” And Select Voucher
- Click Random Voucher, And Open Burp Suite
5. Send Voucher And Change Request With Payload HTML Injection
Remediation:
Your script should filter metacharacters from user input.
Timeline :
Report BUG : 24 May 2020
Tokopedia Respon Bug Valid (MEDIUM) : 26 May 2020
Bug Fixed : 03 June 2020
Tokopedia Send Reward ($xxx) : 12 July 2020
Thanks for reading . Happy Hunting .