Since I bought a hot pot package from a Group Buying Network recommended by my colleagues in March, I became fascinated. I have to browse it almost every day to see what is cheap and delicious.
Of course, this is no exception during the New Year's Day. On the morning of the first day, I saw the xxx group purchasing network's "VIP member 0 yuan receive red packets" activity, 0 yuan? I like it most, although I have participated in
There are many 0-yuan lottery events, but people always have a belief in their luck. So I entered registration and clicked buy to go to the shopping cart.
Click "Confirm order? Why does alert say "Only VIP members can participate in this activity "? My first response was to go to the page.Source code(Because the activity has ended,
So here I have to use the pseudoCode):
//Click the order confirmation button
FunctionBtn_click (){
Ajax obtains the current user type
If it is not a VIP, alert ("VIP members are only allowed to participate in this activity.");
Otherwise, form1.submit ();
}
In the address bar, I typed: javascript: form1.submit (); enter! Go to the payment page and click OK? Purchased successfully! I got a 5 yuan red packet!
Awesome !!! I have a new account, repeat the above steps, and successfully received a 5 yuan red envelope.
Leave a message to the customer service immediately to describe this bug, but I haven't replied yet, huh, huh.
The key aspect of this vulnerability is that the developer forgets to determine whether the current user is a VIP member in the background code of form1.submit () and only relies on JavaScript verification.
What is the top purpose of front-end verification? It can be bypassed. The background verification is the most important !!
With the gains in the morning, on the evening of the 1st, I went on to find another vulnerability in the group purchasing network. I found a more serious vulnerability.
The group bought a New Year's Day Lucky Draw and participated in the golden egg activity free of charge. After purchasing the group, we found that we had to invite friends to participate in the activity to have a chance to drop the golden egg. one more friend was invited.
Opportunities,
As soon as I click the golden egg, alert says, "You have no chance to win a lottery. Invite friends now !", Well, JavaScript again? Look at the code first:
This is the golden egg click event. One of the pages accessed using Ajax is lottery1.php, And the chance variable to be passed in should be the opportunity of the current user.
I tried to directly access lottery1.php? Chance = 1, returns the error string, lottery1.php? If chance = 0, error, lottery1.php? is returned? Chance =-1, also
The error is returned. Is it ineffective? I refreshed the page for smashing eggs. Wow !!
I passed-1 in the past, causing overflow? I tried to smash a few, and each time I got a voucher !! It's awesome. Next, I tried to place an order with a voucher, And I could successfully cut down a few dollars,
However, one order can only use one voucher)
I immediately contacted customer service. I got off work, QQ was not online, and I couldn't get through the phone, so I had to leave a message.
What are you doing next? Click it! About 4.2 billion of the golden eggs, I wrote a section about JS auto-cracking! As of now, a total of 3588 golden eggs have been opened, and at least 2000 of them have been smashed by me.
I got a lot of vouchers:
A full 185 page, haha, Pretty Spectacular !!!
On the 2nd, I checked the code of the group purchase network and found a more serious problem:
JS has such a method
At first glance, it is related to money. Pass in the user ID and the number of money, and try what effect.
How can I obtain the user ID? Don't worry, there are:
This 96204 is the ID of my current account. After a visit, the system returns "offline recharge successful". Wow, is it so powerful? Do I have permission verification on the recharge page?
After checking the account balance, the recharge is successful:
Brother has a balance of 20 thousand. Wow !! This vulnerability is too fatal and immediately leaves a message to the customer service. After leaving the speech, their developers called me and discussed it with me.
Just tell him about the discovered vulnerability. The developer is suffering. during the New Year's Day, the code will be changed after PM.
After the change, he said that the boss may send me some gifts, so I look forward to it.
Finally, he cleared my account balance and shouted in my heart: NO ~ Yes ~ Ah, my 20 thousand RMB ~~~~~~~~
To sum up: Front-end verification is not reliable, and the backend must be verified once. Access Permissions must be added to the Management page; data transmitted to the back-end must be
Verify the validity of the bucket. If you do not need to pass any parameters, for example, the quail eggs, I wonder why I want to pass the opportunity of the current user
Can I directly read data from the database in the background? Do not use plain text. In addition, XSS cross-site scripting attacks should be prevented (generally, the host header should be determined)