[Writeup][Bug Bounty][Tokopedia] Manipulation of Likes in Product Reviews [EN]

- 1 min

Intro

Before starting, IDOR is Insecure Direct Object Reference, hereinafter referred to as IDOR, is a condition in which users can access an object without passing the access rights check. (OWASP, 2019)

With IDOR, a user can access, change, and delete data. This makes IDOR a very dangerous security hole. Please note, the bug discussed in this writeup has been patched by Tokopedia and screenshots will be censored because of PII.


Affected Endpoint

https://ws.tokopedia.com/reputationapp/review/api/v1/likedislike


Impact

Manipulation of number of likes in Product Reviews


Steps to Reproduce


Timeline


References

  1. https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet
  2. https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)
  3. https://www.bugcrowd.com/how-to-find-idor-insecuredirect-object-reference-vulnerabilities-for-large-bountyrewards/
Muhammad Thomas Fadhila Yahya

Muhammad Thomas Fadhila Yahya

A man who believes in Hogwarts and Wakanda

comments powered by Disqus
rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora