How Inspect Element lead to Stored XSS on Bukalapak’s website

wis4nggeni
Dec 23, 2019 · 4 min read

Tl;dr : a unique high severity misconfiguration I found on Bukalapak website that lead to stored XSS, by only inspecting an HTML element on their page.

Assalamualaikum Wr. Wb. (Peace be upon you dear readers)

Bukalapak is one of the biggest online marketplace and “unicorn” startup located in Indonesia. One day when I was taking a break and checking their website to buy something, I noticed that they held a Bug Bounty Program and I think it would be cool if I could carve my name on their lovely “Wall of fame”.

I’m especially interested to look for vulnerability on one of their new feature that is hosted on a specific subdomain, REDACTED.bukalapak.com. Simply because it’s a new feature, so I think it’s more likely that they missed something which could lead to a vulnerability.

Long story short, after some time, I couldn’t find anything interesting beside some minor or very low severity bug like clickjacking with no sensitive action, rate-limiting issue, etc.

But, when I did inspect element on one of the pages to check if my XSS payload fired or not (it’s not, sadly), I found something that catches my eye on the browser console. The page is trying to fetch an image on another subdomain, but failed and return a 404 response printed on the browser console. The URL looks like this:

https://REDACTED.bukalapak.com/img/some-random-text.jpg

Image for post
Image for post
Broken link

I got curious and opened the link on a new tab, and surprisingly, i got that beautiful “NoSuchBucket” error page from Amazon S3 along with the bucket name.

Image for post
Image for post
Beautiful…

At this point, I know that takeover is mostly possible, but I’m curious because previously, all the tools related to subdomain takeover scanner that I used can’t detect this. So I strip the URL to find the main address that pointed to the unclaimed Amazon S3 Bucket. I found out that the URL is something like this :

https://REDACTED.bukalapak.com/img/

Turns out that the REDACTED.bukalapak.com is up and well, it host another feature from bukalapak website and work beautifully. That’s why I decided to write this as “subfolder takeover” and not “subdomain takeover” because I took over a subfolder and not a subdomain, although it has the same methodology.

After taking a sip of my coffee, I started the takeover process, i made an Amazon S3 Bucket with the name printed on the error page. When choosing a region, Patrik Hudak on his blog actually have wrote about how to guess the region (he wrote a lot of amazing articles about subdomain takeover, you should read them if you have the time), but considering bukalapak is a product from Indonesia, I decided to just choose the nearest possible region (Asia Pacific), and turns out i was right. Take over is complete, the subfolder is now pointed to my controlled Amazon S3 bucket.

So, what could I achieve by taking over this subfolder?

The first one comes to my mind is stored XSS, i found out that their cookies is set to a wildcard subdomain, so basically they used the same cookies everywhere, XSS to steal session cookies is possible. The second one, because this subfolder is hosted in one of their subdomain, clickjacking is possible on any page with X-Frame Options set to same origin subdomain, which most of the times contain sensitive actions. I could also host a phishing content too, which if combined with the XSS and clickjacking, could be a very powerful attack vector.

Image for post
Image for post
The Popup everyone loves.

But I didn’t exploit further because I’m afraid it’s against their rule, so I decided to report it right away and let them decide the severity. Surprisingly, their Cyber Incident Responder reply my report within less than half an hour! very cool response time, kudos to their security team. They asked me to upload a specific file to confirm my findings so I do it right away.

Wassalamualaikum Wr. Wb.

Timeline:

  • August 13 2019: report sent.
  • August 13 2019 (Less than half an hour later): Cyber incident responder reply my email, asking me to upload a specific file to confirm my findings.
  • August 14 2019: report validated, categorized as misconfiguration with High severity level. They asked me my data to be posted on their Wall of Fame and for bounty payment.
  • August 26 2019: they carved my name on their Wall of Fame.
  • September 24 2019: $$$ paid with a thank you note.
  • December 23 2019: disclose request approved by security team, write-up published.

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Sign up for Infosec Writeups

By InfoSec Write-ups

Newsletter from Infosec Writeups Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

wis4nggeni

Written by

Former Android Developer, now Full time Bug Bounty Hunter from Indonesia. Feel free to contact me anytime : https://t.me/wis4nggeni.

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

wis4nggeni

Written by

Former Android Developer, now Full time Bug Bounty Hunter from Indonesia. Feel free to contact me anytime : https://t.me/wis4nggeni.

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store