On XSS and IDOR

1 min read

In Bukalapak, we are commited to protect our user’s data. There are a lot of vulnerabilities that could risk the exposure, nevertheless, there are two of the most common vulnerability, cross-site scripting(XSS) and insecure direct object reference(IDOR). We do know without a doubt how important these two vulnerabilities and the degree of effect caused by this vulnerabilities.

Cross-site Scripting

For introductory purposes, XSS is injecting script(mostly browser side script, javascript) into a website, then while the script is served to different user, the script will be executed. There is a lot of things that XSS can steal, however the grand prize is the session key that stored in the browser’s cookie. If the attacker got the admin session, it’s a jackpot.

# a single alert box is enough as the proof of concept
alert()

The solution is fairly simple, every single input should be filtered and all output should be escaped. This input context is not only limited to user provided content, but also from reading config files, reading image from disk, retrieving data from third party APIs etc, are all considered as input. Also, output is not limited to print HTML on the view layer. SQL queries also counted as output because data leave our application and enter database’s scope. As such, writing a file to disk also counted as output and doing a shell command also counted as output. While browser have some protection against XSS, it is a good practice to hardening from right inside the system.

For those want to learn how to find xss in your own site, you can learn in this site provided by Google. They really understand how dangerous xss is.

Insecure Direct Object Reference

The second one is IDOR. It means, anonymous could access data or execute method without proper authorization. I.E. https://www.example/transactions/123456, from the URL, we can infer the 123456 is the identification number of our transaction. If we try to access https://www.example/transactions/123457 and it shows another transaction that is not ours, it is the IDOR vulnerability. IDOR could applies to any URL or even API endpoint.

This one is far more destructive https://www.example/transactions/123456/delete, if this URL behave like it shows, then, the transaction will be deleted. With simple automated HTTP client, the attacker could stole or nuke huge amount of data. The fix is actually straightforward, give proper authorization to every single resource. No exception.

Although we, Bukalapak, have a whole security squad vigorously striving for security and taken multiple measures to seal those vulnerability while developing new things, still, there is no impregnable fortress. Please, talk to us if you found any kind of vulnerability. Help us to build the safest marketplace in Indonesia.

How Kubernetes can make life easier for Bukalapak‚Äôs …

Currently, Bukalapak is transitioning from an monolithic architecture into a microservice-based architecture for its entire software system. This is a massive undertaking that encompass splitting...
Geeas Prisila
1 min read

How I Design My Code

P.S: This post is also available at Medium Programming is becoming mainstream nowadays. I saw people code and build some applications. As a programmer,...
Indra Saputra
1 min read

2 Replies to “On XSS and IDOR”

  1. Thanks for your useful article. Other thing is that mesothelioma is generally brought on by the breathing of materials from mesothelioma, which is a cancer causing material. It truly is commonly viewed among employees in the construction industry that have long experience of asbestos. It’s also caused by moving into asbestos covered buildings for years of time, Genetic makeup plays an important role, and some folks are more vulnerable on the risk than others.

  2. Admiring the dedication you put into your website and in depth information you
    present. It’s awesome to come across a blog every once in a while that isn’t the same
    old rehashed information. Excellent read! I’ve saved your site and I’m adding your RSS feeds to my Google account.

Leave a Reply

Your email address will not be published. Required fields are marked *