View website security issues from the vulnerabilities of the group purchasing network [reprinted]

Since I bought a hot pot package from a Group Buying Network recommended by my colleagues in March, I became fascinated. I have to browse it almost every day to see what is cheap and delicious.

Of course, this is no exception during the New Year's Day. On the morning of the first day, I saw the xxx group purchasing network's "VIP member 0 yuan receive red packets" activity, 0 yuan? I like it most, although I have participated in

There are many 0-yuan lottery events, but people always have a belief in their luck. So I entered registration and clicked buy to go to the shopping cart.

Click "Confirm order? Why does alert say "Only VIP members can participate in this activity "? My first response was to view the page source code (because the activity has ended,

I can't go into the purchase page, so I have to use pseudo code here ):

 // Click the order confirmation button
Function btn_click (){
Ajax obtains the current user type
If it is not a VIP, alert ("VIP members are only allowed to participate in this activity ");
Otherwise, form1.submit ();
}

In the address bar, I typed: javascript: form1.submit (); enter! Go to the payment page and click OK? Purchased successfully! I got a 5 yuan red packet!

 

Awesome !!! I have a new account, repeat the above steps, and successfully received a 5 yuan red envelope.

Leave a message to the customer service immediately to describe this bug, but I haven't replied yet, huh, huh.

The key aspect of this vulnerability is that the developer forgets to determine whether the current user is a VIP member in the background code of form1.submit () and only relies on JavaScript verification.

What is the top purpose of front-end verification? It can be bypassed. The background verification is the most important !!

 

With the gains in the morning, on the evening of the 1st, I went on to find another vulnerability in the group purchasing network. I found a more serious vulnerability.

The group bought a New Year's Day Lucky Draw and participated in the golden egg activity free of charge. After purchasing the group, we found that we had to invite friends to participate in the activity to have a chance to drop the golden egg. one more friend was invited.

Opportunities,

As soon as I click the golden egg, alert says, "You have no chance to win a lottery. Invite friends now !", Well, JavaScript again? Look at the code first:

This is the golden egg click event. One of the pages accessed using Ajax is lottery1.php, And the chance variable to be passed in should be the opportunity of the current user.

I tried to directly access lottery1.php? Chance = 1, returns the error string, lottery1.php? If chance = 0, error, lottery1.php? is returned? Chance =-1, also

The error is returned. Is it ineffective? I refreshed the page for smashing eggs. Wow !!

I passed-1 in the past, causing overflow? I tried to smash a few, and each time I got a voucher !! It's awesome. Next, I tried to place an order with a voucher, And I could successfully cut down a few dollars,

However, one order can only use one voucher)

I immediately contacted customer service. I got off work, QQ was not online, and I couldn't get through the phone, so I had to leave a message.

What are you doing next? Click it! About 4.2 billion of the golden eggs, I wrote a section about JS auto-cracking! As of now, a total of 3588 golden eggs have been opened, and at least 2000 of them have been smashed by me.

I got a lot of vouchers:

A full 185 page, haha, Pretty Spectacular !!!

On the 2nd, I checked the code of the group purchase network and found a more serious problem:

JS has such a method

At first glance, it is related to money. Pass in the user ID and the number of money, and try what effect.

How can I obtain the user ID? Don't worry, there are:

This 96204 is the ID of my current account. After a visit, the system returns "offline recharge successful". Wow, is it so powerful? Do I have permission verification on the recharge page?

After checking the account balance, the recharge is successful:

Brother has a balance of 20 thousand. Wow !! This vulnerability is too fatal and immediately leaves a message to the customer service. After leaving the speech, their developers called me and discussed it with me.

Just tell him about the discovered vulnerability. The developer is suffering. during the New Year's Day, the code will be changed after PM.

After the change, he said that the boss may send me some gifts, so I look forward to it.

Finally, he cleared my account balance and shouted in my heart: NO ~ Yes ~ Ah, my 20 thousand RMB ~~~~~~~~

 

 

To sum up: Front-end verification is not reliable, and the backend must be verified once. Access Permissions must be added to the Management page; data transmitted to the back-end must be

Verify the validity of the bucket. If you do not need to pass any parameters, for example, the quail eggs, I wonder why I want to pass the opportunity of the current user

Can I directly read data from the database in the background? Do not use plain text. In addition, XSS cross-site scripting attacks should be prevented (generally, the host header should be determined)

From: http://www.cnblogs.com/jintianhu/archive/2011/01/03/1924989.html #