In Bukalapak, we are commited to protect our user’s data. There are a lot of vulnerabilities that could risk the exposure, nevertheless, there are two of the most common vulnerability, cross-site scripting(XSS) and insecure direct object reference(IDOR). We do know without a doubt how important these two vulnerabilities and the degree of effect caused by this vulnerabilities.
# a single alert box is enough as the proof of concept alert()
The solution is fairly simple, every single input should be filtered and all output should be escaped. This input context is not only limited to user provided content, but also from reading config files, reading image from disk, retrieving data from third party APIs etc, are all considered as input. Also, output is not limited to print HTML on the view layer. SQL queries also counted as output because data leave our application and enter database’s scope. As such, writing a file to disk also counted as output and doing a shell command also counted as output. While browser have some protection against XSS, it is a good practice to hardening from right inside the system.
For those want to learn how to find xss in your own site, you can learn in this site provided by Google. They really understand how dangerous xss is.
Insecure Direct Object Reference
The second one is IDOR. It means, anonymous could access data or execute method without proper authorization. I.E.
https://www.example/transactions/123456, from the URL, we can infer the
123456 is the identification number of our transaction. If we try to access
https://www.example/transactions/123457 and it shows another transaction that is not ours, it is the IDOR vulnerability. IDOR could applies to any URL or even API endpoint.
This one is far more destructive
https://www.example/transactions/123456/delete, if this URL behave like it shows, then, the transaction will be deleted. With simple automated HTTP client, the attacker could stole or nuke huge amount of data. The fix is actually straightforward, give proper authorization to every single resource. No exception.
Although we, Bukalapak, have a whole security squad vigorously striving for security and taken multiple measures to seal those vulnerability while developing new things, still, there is no impregnable fortress. Please, talk to us if you found any kind of vulnerability. Help us to build the safest marketplace in Indonesia.