Hi Bug Hunters,
In this Article, I’ll show you my Finding on bukalapak.com
Let’s see the request first
The Vulnerability is in cookie parameter on identity and browser_id
I try to input the payload below
%3balert(document.location)%2f%2f
and boom the payload has been execute
Finally I found XSS Reflected on bukalapak.com.
TIMELINE :
Report : 31/8/2021
Invalid : 1/9/2021 Because self XSS :(
