This is a documentation of a persisted XSS vulnerability in Tokopedia, an Indonesian e-commerce startup.
December 12, 2016: A report is made to Tokopedia regarding the vulnerability in the morning. security analyst responded that Tokopedia has received a report from December 10, 2016 regarding the issue. So it’s a duplicate report.
December 13, 2016: The patch is deployed.
The vulnerability existed on Tokopedia’s search keyword autocomplete system.
The following screenshot shows the search bar, with the payload inserted.
Since the search form is submitted using HTTP GET request, the attacker can simply send a link containing the payload to the victim.
XSS is a common problem, and it is among the vulnerabilities listed on OWASP.