Bug 曝光台 Sina News RESTful API Bug | 新浪新闻 RESTful API Bug

LawisChen · 2020年05月17日 · 1030 次阅读

Recently, we found RESTful API bugs in some popular mobile applications by a fuzzing test tool:

Sina News - version: 7.25.1

Bug ID 3

API: GET https://api.weibo.com/oauth2/getaid.json

when parameter "packagename" = "/.:/" we get the status code of 500

see detailed information in the appendix -> Bug ID 3
Bug ID 4

API: GET https://api.weibo.com/oauth2/getaid.json

when parameter "mfp" = "/.:/" we get the status code of 503

see detailed information in the appendix -> Bug ID 4

近期，我们利用某模糊测试工具发现了几家大厂 App 接口存在如下 bug：

新浪新闻 - 版本: 7.25.1

Bug ID 3

接口: GET https://api.weibo.com/oauth2/getaid.json

参数 "packagename" = "/.:/" 时报 500

具体报文见附录 -> Bug ID 3
Bug ID 4

接口: GET https://api.weibo.com/oauth2/getaid.json

参数 "mfp" = "/.:/" 时报 503

具体报文见附录 -> Bug ID 4

Appendix 附录

Bug ID 3

{
  "appName": "Sina News",
  "method": "GET",
  "url": "https://api.weibo.com/oauth2/getaid.json",
  "status_code": 500,
  "request": {
    "appkey": "2032681696",
    "key_hash": "18da2bf10352443a00a5e046d9fca6bd",
    "mfp": "01Qx15bPb01yFBFLZVOJAW/Pb+yy6NatjaG63Q61Td9kabGAku/MuxVtQmAxX/1JPEUVFpzer/kpNRT3hpXU6aDYZKxYKUAlPOQoDKylFGgX6SQ8nNnHUb0ncMHXFAHKSATrxkrJAkG8lxoegfdfuwXtqgHqU2s6DlldbYcKAWixQU+5Jaa/mUpAlzXLz+jAyRJoc1+WP04Ffg0hjzD38frjC/FKnOOtfiF/L1WAxgiE5fWTiQuQQCgJMpLzbGQVUAIdtN+/a/T5bSLk5yxPV7H7uilCyje0uWtKuAK2O8MPHFJfWJDSic/7BfFyA1JnBRvbl9SPK3jCg7omY3Xed2M39k4t7vds7US9gE9i+3oIJXBSHvma/X44Xsaewi7Ibtr/KSvnniaJu78q5Jc8OxTNoVLD3OltR8X4qyLH/mJwwfuOoEAiB7Gg2U+cQyy1y+6y7RaxkjEOylrVh1SUClAeY5adnBdSaW5edC+3+FEaW/zIfn5fQBmSxUIIjs+k1PFsOWbifC2hEsrGysAU469MOLFUceaCH3Gkc+aXgsGgAtAMToY+egcHJXdy9mohrVNXhX8u1vKYxwNW7f//6+UpmnqCkEpZPjjJHlBzEYXziRjX07ZFSMF7k2UospoKWL4U7lWU4qQDh2bPmZLyoc46iYwSFtbEvTz0NN4IAMbC4=",
    "oauth_sign": "88b4b28",
    "oauth_timestamp": "1575317298",
    "packagename": "/.:/"
  },
  "response_data": {
    "error": "system error!",
    "error_code": 10001,
    "request": "/oauth2/getaid.json"
  }
}

Bug ID 4

{
  "appName": "Sina News",
  "method": "GET",
  "url": "https://api.weibo.com/oauth2/getaid.json",
  "status_code": 503,
  "request": {
    "appkey": "2032681696",
    "key_hash": "18da2bf10352443a00a5e046d9fca6bd",
    "mfp": "/.:/",
    "oauth_sign": "88b4b28",
    "oauth_timestamp": "1575317298",
    "packagename": "com.sina.news"
  },
  "response_data": {
    "error": "temporarily_unavailable",
    "error_code": 21331,
    "request": "/oauth2/getaid.json",
    "error_uri": "/oauth2/getaid.json",
    "error_description": "get aid fail"
  }
}

2 个赞

暂无回复。

需要登录后方可回复, 如果你还没有账号请点击这里注册。