Recently, we found RESTful API bugs in some popular mobile applications by a fuzzing test tool:

Pinduoduo - version: 4.77.0

• Bug ID 2

  API: GET https://api.yangkeduo.com/api/cappuccino/splash

  when parameter "platform" = "/.:/" we get the status code of 500

  see detailed information in the appendix -> Bug ID 2

近期，我们利用某模糊测试工具发现了几家大厂 App 接口存在如下 bug：

拼多多 - 版本: 4.77.0

• Bug ID 2

  接口: GET https://api.yangkeduo.com/api/cappuccino/splash

  参数 "platform" = "/.:/" 时报 500

  具体报文见附录 -> Bug ID 2

Appendix 附录

• Bug ID 2

  {
    "appName": "Pinduoduo",
    "method": "GET",
    "url": "https://api.yangkeduo.com/api/cappuccino/splash",
    "status_code": 500,
    "request": {
      "client_time": "1575319562214",
      "density": "2.75",
      "height": "1821",
      "launch_type": "1",
      "pdduid": "",
      "platform": "/.:/",
      "support_formats": "1",
      "version": "1",
      "width": "1080"
    },
    "response_data": {
      "error_code": 50000,
      "error_msg": "http error:500"
    }
  }