Tokopedia DoS Vulnerability

This is a documentation of a DoS vulnerability in Tokopedia, an Indonesian e-commerce startup.

Timeline

September 2, 2015: A report is made to Tokopedia regarding the vulnerability near midnight.

September 3, 2015: At the morning, Tokopedia responded with an email confirming that the report will be forwarded to the engineering team. The bug has been fixed by the evening.

September 4, 2015: Tokopedia’s co-founder, Leontinus Alpha Edison, responded with an email informing that the bug has been fixed.

The Vulnerability

The vulnerability existed on users’ online shop page and the search results page.

Users’ Online Shop

On users’ online shop page, Tokopedia provides a paging option for visitors. With the paging option, visitors may set the number of products displayed per page to 20, 40, or 80 products.

In the following screenshot, I set the number of displayed products to 80 products per page. We can see in the address bar, a parameter is added to request 80 products per page instead of the default 20 products per page.

We can set the perpage parameter to whatever value we want to. I set it into 1,000 products per page.

If we compare the scrollbar from the screenshot where I requested 80 products and 1,000 products, we can see that I was indeed served a lot more products compared to when I requested 80 products. Now, let’s try requesting 100,000 products.

After loading for some time, the page responded with an error. The users’ online shop page was only vulnerable for users with a lot of products. If the user doesn’t have many products, the server will be able to quickly load all the products a user has.

Search Results

On search results page, by default Tokopedia returns 30 products per page. It might not be obvious at first, as there are no options for paging and no paging parameters displayed on the address bar.

By adding per_page parameter to the GET request, we can set the search page to display an arbitrary number of products for each page. In the following screenshot, I requested for 50 products per page.

We can requests for a huge number of products displayed per page. After some time loading, the search results page will display an error message. On the following screenshot, I requested for 1,000,000 products per page.

Risks

The vulnerability might allow an attacker to conduct a DoS attack on Tokopedia by keep sending a lot of requests for the vulnerable page to load a huge number of products. I didn’t actually conduct a DoS attack, but it should be possible with stress testing tools such as wrk.