A bug in Zhejiang Telecom's Online Business Office (updated)

A few days ago, I saw Zhejiang Telecom's online business office sign in for rice grains. I can sign in once a day. Each time I get a rice grain, I can get 21 rice grains for the first sign-in.
After playing for a few days, I found a bug in it. Let's look at the page first, the address is http://zj.ct10000.com/qiandao
After clicking it, it becomes grayed out and cannot be clicked again on that day, as shown in:

Let's take a look at the page.CodeIt's easy to find the following js method with the developer tool.

Pay attention to the Code in the red box. It determines whether to log on for the first time based on the parameters passed by the foreground. So what if we pass the "login first point" string every time?
To test the function, first log on to the online business office, and then execute the following JS Code on the sign-in page.

 
$ J. post ('/zjpr/score/qiandao/checkin.html', {'type': 'wt _ signin ', 'name': encodeuri ('first logon credits ')}, function (data) {alert (data );});
 

Check the number of Rice Grains:

There are 21 more, indicating that it is not verified in the background. At this time, if you execute it again, it will be ineffective, because the backend performs the verification only once a day.
What if I execute the above JS Code multiple times before signing in? Run the following code:

 
For (VAR I = 0; I <10; I ++) {$ J. post ('/zjpr/score/qiandao/checkin.html', {'type': 'wt _ signin ', 'name': encodeuri ('first logon credits ')}, function (data ){});}
 

Submit 10 requests at the same time to see how the background processes concurrency. Query

There are multiple records, and the number of rice grains has increased from 165 to 249. It indicates that no code is locked in the background (lock in C #, synchronized in Java), resulting in concurrency problems.

Conclusion: First, the front-end verification is required, and the backend verification is indispensable. Second, it is recommended to lock the corresponding code for operations with special restrictions, which can be used
Like locking, this restricts the concurrent operations of the same user without affecting other users.

Continued: Just now, I found another vulnerability that allows me to directly fl rice grains without limit. The principle is that there is a sharing link on the sign-in page, which can be shared with everyone, happy, and other websites.
Get a grain of rice. However, the sharing name is not filtered in the background, so I passed a random number and shared it successfully. I got a grain of rice. The JS Code is as follows:

 
$ J. post (basepath + 'zjpr/score/qiandao/checkin.html ', {"type": "wt_share", "channel": math. random (), "name": encodeuri ("share channel points")}, function (data ){});
 

Then write a loop, you know. I already have more than 1500 grains.

I have reported the bug to online customer service. If I can quickly handle it, it depends on the efficiency of China Telecom.