An API defect of Youku leads to credential stuffing to obtain VIP accounts (proving that a large number of VIP users can be obtained)

An API defect of Youku leads to credential stuffing to obtain VIP accounts (proving that a large number of VIP users can be obtained)

A library hit query VIP caused by an API defect in Youku

Step 1:

Use android-based Youku to log on and capture packets to obtain the following data packets:
 

It's a bit messy. Sorry. There are many fields submitted here. After further streamlining the test, the following available data packets are obtained:
 

We can see that there are only three key fields, user name and password (md5 encrypted). Another assumption is a fixed field similar to "method. In this way, Youku's private login API is obtained.

With the login request data packets, it is not difficult to hit the database in batches. After testing, Youku imposes certain restrictions, such as the number of tests performed by the same user (brute-force, and the speed is too fast. But the limitations are not thorough enough. It is still effective if the program uses a single thread to hit the database.

Step 2:

After the preceding data packet is successfully logged on, fields similar to tokens are returned. Find the VIP query API using the same method as above, {/common/v3/member_vip_info? Pid = 87c959fb273366eb} you only need to visit this page with the "token" just now to obtain VIP information.

This is only the result of a public database hit, unexpectedly someone vip time so long.
 

 

Solution:

1. Add verification fields to the API. The verification algorithm uses jni to prevent simple decompilation.

2. restrict the number of Logon times for a single ip address, whether it is the same user name or different user names