Offensive Security Update (25 - 29 November 2019)

Progress

Product Security VA/PT

Patched

TAP Account Takeover via Stored DOM XSS through Flight Booking Data (/api/v2/trip/booking/createBooking) https://29022131.atlassian.net/browse/SECURITY-253
Reflected XSS in DesktopOneClickPage.js (dangerouslySetInnerHTML) https://29022131.atlassian.net/browse/SECURITY-285
Denial of Service (Crashing Web Server) via Prototype Pollution in API Proxy https://29022131.atlassian.net/browse/SECURITY-288
Reflected XSS on MCP Pages (MCPPage.js dangerouslySetInnerHTML) https://29022131.atlassian.net/browse/SECURITY-284
IDOR Cancelling Hotel Booking of Other Users ( /en-en/v2/hotel/book/cancelBooking ) https://29022131.atlassian.net/browse/SECURITY-206

Data Leak Vulnerability in PublicFlightRescheduleInfoAPI (/v2/reschedule/getBookingDetailDisplay) https://29022131.atlassian.net/browse/SECURITY-221
Unpatched:

4 XSS
1 SSRF (will be fully fixed on 3 Dec)
2 Data Leak (2 Medium)
4 Missing Access Control (All Medium)
2 payment security issue (2 High)
1 Corporate IT Infra security issue (1 Critical)

Red Team Exercise

Pwning 12 high profile employee and hundreds of Windows llaptop https://docs.google.com/document/d/1gb9LCPh-wlqEtea7rJiDN-NmTqSgCFziLV8AafglnpE/edit?ts=5dd3dacc#heading=h.vtup11s0on9v
AD Domain Admin Takeover https://docs.google.com/document/d/1Szh_gYzQMvXNjP96nT7FWcRZVuRbx-H434r4ae26myg/edit
Remote Code Execution (Insecure Deserialization) on Flight Tools https://docs.google.com/document/d/1Lni_DxTSqvU2Ixfy9vGw8bJVvWuw1rDjoBoLFPIhXyo/edit#heading=h.ogelsj30b19c

Offensive Security Excellence

Traveloka Back-end Architecture & Security Code Review (Fariskhi) https://docs.google.com/presentation/d/1vtlGOdHMgBaMQ7l63clH5QHzyOHRBfglofeTxxQeUVo/edit
Active Directory Attacks (Nicolas) https://docs.google.com/presentation/d/1JEV6cTh9jKdUONWBUcNI1zvETpYvSLLatCkPlo59aLk/edit?usp=sharing

Plan

Prepare for internal CTF
Tracking insecure deserialization vulnerability in security issue tracker
Meeting with:

Web Infra
Data Infra