[Writeup][Bug Bounty][Tokopedia] Manipulate Other User’s Cart and Wishlist on Tokopedia [EN]

- 7 mins


Before starting, IDOR is Insecure Direct Object Reference, hereinafter referred to as IDOR, is a condition in which users can access an object without passing the access rights check. (OWASP, 2019)

With IDOR, a user can access, change, and delete data. This makes IDOR a very dangerous security hole. Please note, the bug discussed in this writeup has been patched by Tokopedia, and screenshots will be censored because of PII.

Affected Endpoint






Several things can be done by using these vulnerabilities:

Steps to Reproduce

I set up two accounts, Account A as Attacker with ID: 37822XXX and Account B as Victim with ID: 49468XXX.

Because this finding is chaining which means it involves more than one endpoint, I will divide this article into several sections.

Part 1. Viewing Products in Other Users’ Cart.




  1. https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet
  2. https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)
  3. https://www.bugcrowd.com/how-to-find-idor-insecuredirect-object-reference-vulnerabilities-for-large-bountyrewards/
Muhammad Thomas Fadhila Yahya

Muhammad Thomas Fadhila Yahya

A man who believes in Hogwarts and Wakanda

comments powered by Disqus
rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora