Phone verification codes for phone ordering can be bypassed, causing leakage of real user information and other problems. It cannot be too detailed here ,,
Well, don't raise the price later. It's too expensive ,,
Detailed description:
On the order page, select "order by phone", enter the mobile phone number, and click "Send verification code". The normal process is that the mobile phone number receives the Verification Code. However, burp captures the packet and finds that the verification code is returned to the client. Therefore, the verification code is essentially a false one. Enter the verification code to view the order address of the mobile phone number.
Proof of vulnerability:
There are two consequences:
1. Leakage of real customer information
2. If mc is in trouble with you, place an order for the customer .... The loss is real gold and silver, so rank is higher.
Solution:
That,
1. The Verification Code cannot be sent to the client,
2. Shorten the validity period,
3. Restrict submission interval to prevent brute-force cracking.
So detailed, cool is really a white hat!
Author: unic02n