In a lot of places, it's all there. Use two-dimensional code to sign in, two-dimensional code payment, two-dimensional code account applications (here's the two-dimensional code stallion, fraud is not said), two-dimensional code verification, more than terminal auxiliary authorization application began more, here first what is two-dimensional code, in fact, two-dimensional code is stored in binary data black and white pictures, When a two-dimensional code login is required, the server generates a temporary unique two-dimensional code message. Sent to the client as a two-dimensional code (picture) of the form to write to the Web page, and then you will see the unified Four square two-dimensional code, if done good this two-dimensional code information should be a prescription, here for the time being not to consider these, Just take a look at the simple micro-mail login:
First, the entire licensing process:
In the Client Web page, you will continue to send HTTPS connections to the server, and after the transfer of very little data is disconnected, below the micro-mail page in this login1c709c.js file:
(Function ($, _aowin) {_aowin.qrlogin = {};
_aowin.loginlog = "";
var _sbasehost = "", _ologinqrcodeimg = document.getElementById ("Loginqrcode");
if (Document.domain = = "Qq.com") {_sbasehost = "weixin.qq.com";
else if (Location.hostname.match (wechat\.com) $/) {_sbasehost = "wechat.com";
}else{_sbasehost = "wechatapp.com"; var show_tip = 1, _scuruuid, _oresettimeout, _awebmmcallbacks = [], _odetactwebmminterval = setinterval (function ()
{if (_aowin.webmm) {clearinterval (_odetactwebmminterval);
var callback;
while (callback = _awebmmcallbacks.shift ()) {if (typeof (callback)!= "function") continue;
Callback ();
}}, 1000);
function _loginpage (_aslog) {_aowin.loginlog = Loginlog + _aslog + "\ n";
} function _afterloadwebmmdo (callback) {if (!_aowin.webmm) {_awebmmcallbacks.push (callback);
}else{callback ();
} function _reportnow (text) {_loginpage (text);
_afterloadwebmmdo (function () {Webmm.osslog ({text:text}); Webmm.flushosslog();
});
var reloadqrimgcount = 0, loadqrcodetime = 0, loadqrimgsucc = function () {clearinterval (Loadqrimgwatchdog); _loginpage ("Load qrcode Success, time=" + (new Date (). GetTime ()-Loadqrcodetime) + "MS, Reload Count:" + Reloadqrimgcoun
T); }, Loadqrimgfail = function (img) {_reportnow ("Load qrcode fail! + status +", src: "+ img.src +", Time: "+" (New Dat
E (). GetTime ()-Loadqrcodetime) + "MS");
}, Loadqrimgwatchdog = null;
function _loadqrimg (UUID) {_poll (UUID);
_loginpage ("Load qrcode Start");
Loadqrcodetime = new Date (). GetTime ();
_ologinqrcodeimg.onload = function () {LOADQRIMGSUCC ();
_ologinqrcodeimg.onload = null;
};
_ologinqrcodeimg.onerror = function () {Loadqrimgfail (this)}; _OLOGINQRCODEIMG.SRC = "Https://login."
+_sbasehost+ "/qrcode/" +uuid+ "T=WEBWX";
Loadqrimgwatchdog = setinterval (function () {if (Reloadqrimgcount >= 5) {_reset ();
Return
} reloadqrimgcount++;
var _img = new Image (); _img.onload = function () {if (!_ologInqrcodeimg.onload) return;
_ologinqrcodeimg.onload = null;
_OLOGINQRCODEIMG.SRC = This.src;//replace loadqrimgsucc ();
};
_img.onerror = function () {Loadqrimgfail (this)};
_IMG.SRC = _ologinqrcodeimg.src + "&r=" + New Date (). GetTime ();
}, 5000);
var _ssecondrequesttime = 0, _najaxtimeout = 1000, _nnewloginfuncerrcount = 0;
function _poll (_asuuid) {var _self = Arguments.callee, _ntime = 0;
_scuruuid = _asuuid;
_loginpage ("_poll Request Start, Time:" + new Date (). GetTime ());
_ntime = new Date (). GetTime (); $.ajax ({type: "Get", url: "Https://login" + _sbasehost + "/cgi-bin/mmwebwx-bin/login?uuid=" + _asuuid + "&tip=" + Show_tip, DataType: "Script", Cache:false, timeout: _najaxtimeout, success:function (data, Textstatus, JQXHR) {_lo
Ginpage ("_poll Request Success, code:" + Window.code + ", Time:" + (New Date (). GetTime ()-_ntime) + "MS"); Switch (_aowin.code) {case: _ssecondrequesttime = new Date (). GetTime ()-_ssecondrequesttime;
_loginpage ("Second Request Success, Time:" + _ssecondrequesttime + "MS");
Cleartimeout (_oresettimeout);
var _fnewloginfunc = function () {$.ajax ({URL: _aowin.redirect_uri + "&fun=new",//new login page type: "Get",
Success:function (msg) {_loginpage ("new Func reponse, reponsemsg:" + msg);
var code = Msg.match (/<script> (. *) <\/script>/);
var skey=msg.match (/<skey> (. *) <\/skey>/);
if (code) {eval (code[1]);
}else{$ ("#container"). Show ();
$ ("#login_container"). Hide ();
} if (Skey && skey[1]) {Webmm.model ("account"). Setskey (skey[1));
}, Error:function (JQXHR, Textstatus, Errorthrown) {_nnewloginfuncerrcount++; if (_nnewloginfuncerrcount > 5) {if (Confirm ("Call new Login page func error, refresh?")
{location.reload ()} return; } _reportnow (_aowin.redirect_uri + "New login page func error:" + Textstatus + "RetryCount:" + _nnewloginfuncerrcoun
T); SettimeoUT (_fnewloginfunc, 500);
}
});
};
_fnewloginfunc (); _reportnow ("/cgi-bin/mmwebwx-bin/login, Second Request Success, uuid:" + _asuuid + ", Time:" + _ssecondrequesttime + "ms
");
Break
Case 201:cleartimeout (_oresettimeout);
Show_tip = 0;
$ ('. ErrorMsg '). Hide ();
$ ('. Normldesc '). Hide ();
$ ('. Successmsg '). Show ();
_reportnow ("/cgi-bin/mmwebwx-bin/login, Success, uuid:" + _asuuid);
_reportnow ("/cgi-bin/mmwebwx-bin/login, Second Request Start, uuid:" + _asuuid);
_ssecondrequesttime = new Date (). GetTime ();
_najaxtimeout = 5 * 1000;
_self (_ASUUID);
Break
Case 408:settimeout (function () {_self (_ASUUID);
}, 500);
Break
Case 400:case: _reset ();
_afterloadwebmmdo (function () {_AOWIN.LOG.D (", Login Poll Svr Exception");
});
Break }, Error:function (JQXHR, Textstatus, Errorthrown) {if (Textstatus = ' timeout ') {settimeout (function () {_self
(_ASUUID);
}, 500); } else {settimeout (function () {_self) (_asuuID);
}, 5000);
_loginpage ("_poll Request Error:" + textstatus);
_afterloadwebmmdo (function () {_AOWIN.LOG.E ("Login Poll Error:" + textstatus);
});
}
}
}); var getuuidcount = 0, _getuuidwatchdog, _bgetuuidsuccess = False;//ajax successִfunction _getuuid () {GetUUIDCoun
t++; var _self = Arguments.callee, _loaderror = function (ErrorText) {_reportnow ("Load UUID error!
ErrorText: "+ errortext +" getuuidcount= "+ getuuidcount); if (Getuuidcount > 5) {if confirm ("Load uuid error.") Refresh? "))
{location.reload ();
} settimeout (function () {_self ();
}, 500);
};
Cleartimeout (_getuuidwatchdog);
_getuuidwatchdog = settimeout (function () {if (!_aowin.qrlogin.code) {_loginpage ("Getuuid Timeout, watchdog Run");
_self ();
}, 10000); $.ajax ({type: "Get", url: "Https://login." + _sbasehost + "/jslogin?appid=wx782c26e4c19acffb&redirect_uri=" +encod Euricomponent (location.protocol+ "//" +location.host+ "/cgi-bin/mmwebwx-bin/webwxnewloGinpage ") +" &fun=new&lang= "+ Document.lang, DataType:" Script ", Cache:false, Success:function () {Cleart
Imeout (_getuuidwatchdog);
if (_bgetuuidsuccess) return;
if (_aowin.qrlogin && _aowin.qrlogin.code = =) {_loginpage ("Getuuid Success, uuid=" + qrlogin.uuid);
_bgetuuidsuccess = true;
Cleartimeout (_oresettimeout); _oresettimeout = settimeout (function () {location.reload ();//note:don ' t run _reset ().
If you run _reset (), there would may have many _poll request, as they get 408 return code}, 5 * *1000);//5 mins
_loadqrimg (QRLOGIN.UUID);
else {var Qrlogincode = (_aowin.qrlogin && _aowin.qrlogin.code)? _aowin.qrlogin.code: "None";
_loginpage ("Getuuid Error, qrlogin.code=" + Qrlogincode);
_loaderror ("qrlogin.code=" + Qrlogincode);
}, Error:function (XHR, Textstatus, Errorthrown) {_loginpage ("Getuuid error, textstatus=" + textstatus);
_loaderror (Textstatus);
}
}); function _reset () {LocatIon.reload ();
} if ($ ("#login_container"). Is (": visible")) {_getuuid ();
var _bhadlog = false;
function _osslog () {if (_bhadlog) return;
_bhadlog = true; var _suvid = Document.cookie.match (New RegExp ("(^|)" + "Webwxuvid" + "= ([^;]
*)(;|$)"));
if (!_suvid | | _suvid.length < 3) return;
_suvid = _suvid[2]; (New Image ()). src = "/cgi-bin/mmwebwx-bin/webwxstatreport?funkey=indexdemo&uvid=" +_suvid+ "&uuid=" +_
Scuruuid; } if ($ ("img.guide"). Length > 0) {var _ntimer = 0, _oguide$ = $ (". Guide"), _oguidetrigger$ = $ ("#guideTrigger, #t
Iptrigger "), _omask$ = $ (". Mask "); function _back () {_ntimer = settimeout (function () {_omask$.stop (). Animate ({opacity:0}, function () {$ (". Mask"). Hide ()}
);
_oguide$.stop (). Animate ({marginleft: " -120px", opacity:0}, "n", "Swing", function () {_oguide$.hide ();
});
}, 100);
}/*guide*/_oguide$.css ({"Left": "50%", "opacity": 0});
_oguidetrigger$.css ({"BackgroundColor": "White", "opacity": "0"}); _oguidetrigger$.mouseover (functiOn () {cleartimeout (_ntimer);
_omask$.show (). Stop (). Animate ({"Opacity": 0.2}); _OGUIDE$.CSS ("Display", "block"). Stop (). Animate ({marginleft: "+168px", opacity:1}, 900, "Swing", function () {_oguide$
. Animate ({marginleft: "+153px"}, 300);
});
_osslog ();
}). Mouseout (_back);
_oguide$.mouseover (function () {cleartimeout (_ntimer);
}). Mouseout (_back);
}) (jQuery, window);
After reading JS, you will see from the client side of the page to request a login side, the page client every 500 milliseconds to the server to initiate SSL request, request the current two-dimensional code is another client (mobile) authorization, if the return result is 201, It means that you have obtained the same account login authorization for scanning two-dimensional code terminals, and if it is the other case, then recycle the request again 500 milliseconds. This process lasts until the two-dimensional code is scanned or the two-dimensional code timeout expires.
The tools used include: Grab tool Fidller, Chrome F12 Developer tool, Notice accidental discovery, micro-letter client has a min-webmm1cba21.js, which clearly visible XSS filter specification, It's a hope for those pigeons who like the white box test XSS.!!!
This article has been organized into the "JavaScript micro-Credit Development Skills Summary", welcome to learn to read.
For everyone to recommend now more attention than the micro-letter Program Tutorial: "Micro-letter Small Program Development tutorial" Small series for everyone carefully organized, hope like.
The above is the entire content of this article, I hope to help you learn, but also hope that we support the cloud habitat community.