Since I bought a hot pot package from a Group Buying Network recommended by my colleagues in March, I became fascinated. I have to browse it almost every day to see what is cheap and delicious. Of course, this is no exception during the New Year's Day. On the morning of the first day, I saw the XXX group purchasing network's "VIP member 0 yuan receive red packets" activity, 0 yuan? I like it most. Although I have participated in many 0-yuan lottery events and never won a lottery, people always have a belief that they believe in their luck. So I decided to go in and register, click buy, enter the shopping cart, and then click confirm order. Why? Why does alert say "Only VIP members can participate in this activity "? My first reaction was to look at the page source code (because the activity has ended, I can't go into the purchase page, so here I have to use pseudo code to represent it ):
// Click the order confirmation button
Function btn_click (){
Ajax obtains the current user type
If it is not a VIP, alert ("VIP members are only allowed to participate in this activity ");
Otherwise, form1.submit ();
}
In the address bar, I typed: javascript: form1.submit (); enter! Go to the payment page and click OK? Purchased successfully! I got a 5 yuan red packet!
= 700) window. open (http://www.bkjia.com/uploads/allimg/131121/1G01452R-0.jpg); "alt =" \ "src =" http://www.bkjia.com/uploads/allimg/131121/1G01452R-0.jpg "border = 0>
Awesome !!! I have a new account, repeat the above steps, and successfully received a 5 yuan red envelope. Leave a message to the customer service immediately to describe this BUG, but I haven't replied yet, huh, huh. The key aspect of this vulnerability is that the developer forgets to determine whether the current user is a VIP member in the background code of form1.submit () and only relies on javascript verification.
What is the top purpose of front-end verification? It can be bypassed. The background verification is the most important !! With the gains in the morning, on the evening of the 1st, I went on to find another vulnerability in the group purchasing network. I found a more serious vulnerability. The group bought a New Year's Day Lucky Draw and participated in the golden egg activity free of charge. After purchasing the group, we found that we had to invite friends to participate in the activity to have a chance to drop the golden egg. We only had one chance to invite one friend,
= 700) window. open (http://www.bkjia.com/uploads/allimg/131121/1G0144402-1.jpg); "height = 199 alt =" \ "src =" http://www.bkjia.com/uploads/allimg/131121/1G0144402-1.jpg "width = 528 border = 0>
As soon as I click the golden egg, alert says, "You have no chance to win a lottery. Invite friends now !", Well, javascript again? Look at the code first:
= 700) window. open (http://www.bkjia.com/uploads/allimg/131121/1G0141145-2.jpg); "height = 253 alt =" \ "src =" http://www.bkjia.com/uploads/allimg/131121/1G0141145-2.jpg "width = 700 border = 0>
This is the golden egg click event. One of the pages accessed using AJAX is lottery1.php, And the chance variable to be passed in should be the opportunity of the current user. I tried to directly access lottery1.php? Chance = 1, returns the error string, lottery1.php? If chance = 0, error, lottery1.php? is returned? Chance =-1, and an error is returned. Is it ineffective? I refreshed the page for smashing eggs. Wow !!
= 700) window. open (http://www.bkjia.com/uploads/allimg/131121/1G01431O-3.jpg); "height = 67 alt =" \ "src =" http://www.bkjia.com/uploads/allimg/131121/1G01431O-3.jpg "width = 700 border = 0>
I passed-1 in the past, causing overflow? I tried to smash a few, and each time I got a voucher !! It's awesome. Next, I tried to place an order with a voucher, And I could successfully cut down a few yuan, but I could only use one voucher for an order. (Of course, I finally canceled the order for testing, I am not so evil yet, wow) I immediately contacted customer service and got off work, QQ was not online, and the phone couldn't get through, so I had to leave a message.
What are you doing next? Click it! About 4.2 billion of the golden eggs, I wrote a section about JS auto-cracking! As of now, a total of 3588 golden eggs have been opened, and at least 2000 of them have been smashed by me. Wow:
= 700) window. open (http://www.bkjia.com/uploads/allimg/131121/1G0141457-4.jpg); "height = 249 alt =" \ "src =" http://www.bkjia.com/uploads/allimg/131121/1G0141457-4.jpg "width = 700 border = 0>
A full 185 page, haha, Pretty Spectacular !!! On the 2nd, I checked the code of the group purchase network and found a more serious problem:
JS has such a method
= 700) window. open (http://www.bkjia.com/uploads/allimg/131121/1G0144548-5.jpg); "height = 70 alt =" \ "src =" http://www.bkjia.com/uploads/allimg/131121/1G0144548-5.jpg "width = 700 border = 0>
At first glance, it is related to money. Pass in the user ID and the number of money, and try what effect. How can I obtain the user ID? Don't worry, there are:
This 96204 is the ID of my current account. After a visit, the system returns "offline recharge successful". Wow, is it so powerful? Do I have permission verification on the recharge page? After checking the account balance, the recharge is successful:
= 700) window. open (http://www.bkjia.com/uploads/allimg/131121/1G0143536-6.jpg); "height = 387 alt =" \ "src =" http://www.bkjia.com/uploads/allimg/131121/1G0143536-6.jpg "width = 700 border = 0>
Brother has a balance of 20 thousand. Wow !! This vulnerability is too fatal and immediately leaves a message to the customer service. After leaving their words, their developers called me and discussed the vulnerabilities with me. They just told him the vulnerabilities they just discovered. The developer is suffering. during the New Year's Day, the code will be changed after PM.
After the change, he said that the boss may send me some gifts, so I look forward to it. Finally, he cleared my account balance and shouted in my heart: NO ~ Yes ~ Ah, my 20 thousand RMB ~~~~~~~~
To sum up, the front-end verification is unreliable, and the backend verification is required. Access Permissions must be added to the Management page, and validity verification must be performed on the data transmitted to the back-end; if you do not need to pass parameters, for example, the quail eggs, I wonder why I want to pass the opportunity of the current user to the background and read it directly from the database? Do not use plain text. In addition, XSS cross-site scripting attacks should be prevented (generally, the host header should be determined)