[Writeup][Bug Bounty][Tokopedia] Manipulate Other User’s Cart and Wishlist on Tokopedia [EN]

- 7 mins

Intro

Before starting, IDOR is Insecure Direct Object Reference, hereinafter referred to as IDOR, is a condition in which users can access an object without passing the access rights check. (OWASP, 2019)

With IDOR, a user can access, change, and delete data. This makes IDOR a very dangerous security hole. Please note, the bug discussed in this writeup has been patched by Tokopedia, and screenshots will be censored because of PII.


Affected Endpoint

https://[redacted]/cart/v2/shop_group

https://[redacted]/cart/v2/add_product_cart

https://[redacted]/cart/v2/update_cart

https://[redacted]/cart/v2/remove_product_cart


Impact

Several things can be done by using these vulnerabilities:


Steps to Reproduce

I set up two accounts, Account A as Attacker with ID: 37822XXX and Account B as Victim with ID: 49468XXX.

Because this finding is chaining which means it involves more than one endpoint, I will divide this article into several sections.

Part 1. Viewing Products in Other Users’ Cart.


Remediation


Timeline


References

  1. https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet
  2. https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)
  3. https://www.bugcrowd.com/how-to-find-idor-insecuredirect-object-reference-vulnerabilities-for-large-bountyrewards/
Muhammad Thomas Fadhila Yahya

Muhammad Thomas Fadhila Yahya

A man who believes in Hogwarts and Wakanda

comments powered by Disqus
rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora