LEFT SIDEBAR AD

Hidden in mobile, Best for skyscrapers.

XSS REFLECTED On Site https://accounts.bukalapak.com/

3 years ago 193
BOOK THIS SPACE FOR AD
ARTICLE AD

Aidil Arief

Assalamualaikum Bug Hunter & Teman-teman semua.

Dikesempatan kali ini saya menyempatkan diri untuk menulis kembali artikel write up temuan Celah Keamanan ( Bug ) Di Program BukaBounty ( Bukalapak Bug Bounty Program ).

Baiklah langsung saja ke topik pembahasan nya.

Kerentanan yang saya temukan di BukaLapak adalah XSS REFLECTED.

XSS REFLECTED berada di url :

https://accounts.bukalapak.com/register?comeback=javascript:prompt(document.domain)&from=home_mobile

Dan selanjutnya diarahkan ke halaman Register.

Lalu silahkan Register, Bisa manual dan bisa menggunakan Pihak Ketiga ( Google dan Facebook).

Disini saya mengambil langkah via Pihak Ketiga ( Google ). Karena demi keamanan juga :D jika saya memakai cara manual, maka akan disuruh memasukkan password :'(

Klik ikon "Google"

Dan lalu akan diarahkan ke halaman Sukses Pendaftaran Akun.

Selanjutnya klik Icon "Mulai Belanja"

Dan pop up muncul :D

Timeline :

Report : 12/03/2021

Valid : 14/04/2021

Level : low impact ( Karena membutuhkan beberapa aksi yakni berupa (isi formulir, verifikasi akun, isi password, dst) )

Rewards :

- Wall Of Fame BukaBounty ( https://bukalapak.github.io/bukabounty/ )

Read Entire Article
  3. XSS REFLECTED On Site https://accounts.bukalapak.com/

Related

How I Climbed to #1 Hacker

How I Climbed to #1 Hacker

Python — Program Security Headers

Python — Program Security Headers

What is Cybersecurity

What is Cybersecurity

Mastering Bug Bounty Hunting with White Rabbit Neo AI

Mastering Bug Bounty Hunting with White Rabbit Neo AI

How to Create an Android Payload in Just 1 Minute | Ethical Hacking

How to Create an Android Payload in Just 1 Minute | Ethical Hacking

Crack the Code: Earn Up to $500K in InceptionLRT’s Bug Bounty Program

Crack the Code: Earn Up to $500K in InceptionLRT’s Bug Bounty Program

Trending

1. Honda Amaze
2. Earthquake in Hyderabad
3. Earthquake
4. Indian Navy Day
5. Allu Arjun Pushpa movie
6. Sukhbir Badal
7. Sunil Pal
8. Bayern Munich
9. Banking Laws (Amendment) Bill, 2024
10. FC Barcelona

Popular

1-click RCE in Electron Applications

1-click RCE in Electron Applications

Install waybackurls on Kali Linux

Install waybackurls on Kali Linux

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Install DalFox on Kali Linux

Install DalFox on Kali Linux

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Autodesk Revit 2023 R1 Build 23.0.11.19 (x64) Multilingual + Crack

Autodesk Revit 2023 R1 Build 23.0.11.19 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

BOOK THIS SPACE FOR AD
RIGHT SIDEBAR BOTTOM AD
Bengali (Bangladesh) Bengali (Bangladesh) · English (United States) English (United States) ·
About Us · Terms & Condition · Contact Us
© Security Alert 2024. All rights are reserved