Recently, we found RESTful API bugs in some popular mobile applications by a fuzzing test tool:
Bug ID 6
API: GET http://accwww25c1.53kf.com/sendacc.jsp
we get the status code of 502
see detailed information in the appendix -> Bug ID 6
Bug ID 7
API: GET http://accwww5c1.53kf.com/sendacc.jsp
we get the status code of 502
see detailed information in the appendix -> Bug ID 7
近期,我们利用某模糊测试工具发现了几家大厂 App 接口存在如下 bug:
Bug ID 6
接口: GET http://accwww25c1.53kf.com/sendacc.jsp
报 502
具体报文见附录 -> Bug ID 6
Bug ID 7
接口: GET http://accwww5c1.53kf.com/sendacc.jsp
报 502
具体报文见附录 -> Bug ID 7
Bug ID 6
{
"appName": "Sohu News",
"method": "GET",
"url": "http://accwww25c1.53kf.com/sendacc.jsp",
"status_code": 502,
"request": {
"method": "GET",
"url": "http://accwww25c1.53kf.com/sendacc.jsp?cmd=ACC&did=0&sid=12&company_id=72141072&guest_id=10867914892009&status=0&guest_name=&guest_ip=218.193.184.197&guest_ip_info=%E4%B8%8A%E6%B5%B7%E5%B8%82%5B%E6%95%99%E8%82%B2%E7%BD%91%5D&area=%E4%B8%8A%E6%B5%B7%2D&from_page=&talk_page=http%3A%2F%2Fshhs-coco36.yjrmss.cn%2Fcoco-nc-wap%2F%3F%3D7.18-APP-tw&kf_time=1573281168&bto_id6d=-99&time=1573281168893&ucust_id=&style=3&is_mobile=y&visitor_type=new&is_uv=1&browser=chrome&os=android&is_revisit=0&page_title=coco%E5%A5%B6%E8%8C%B6%E5%AE%98%E7%BD%91",
"httpVersion": "HTTP/1.1",
"cookies": [],
"headers": [
{
"name": "Host",
"value": "accwww25c1.53kf.com"
},
{
"name": "Proxy-Connection",
"value": "keep-alive"
},
{
"name": "Accept",
"value": "*/*"
},
{
"name": "User-Agent",
"value": "Mozilla/5.0 (Linux; Android 6.0; HUAWEI MT7-CL00 Build/HuaweiMT7-CL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/49.0.2623.105 Mobile Safari/537.36 JsKit/1.0 (Android) Mozilla/5.0 (Linux; Android 6.0; HUAWEI MT7-CL00 Build/HuaweiMT7-CL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/49.0.2623.105 Mobile Safari/537.36 JsKit/1.0 (Android)/SohuNews/6.1.8 BuildCode/604"
},
{
"name": "Referer",
"value": "http://shhs-coco36.yjrmss.cn/coco-nc-wap/?=7.18-APP-tw"
},
{
"name": "Accept-Encoding",
"value": "gzip, deflate"
},
{
"name": "Accept-Language",
"value": "zh-CN,en-US;q=0.8"
},
{
"name": "X-Requested-With",
"value": "com.sohu.newsclient"
}
],
"queryString": [
{
"name": "cmd",
"value": "ACC"
},
{
"name": "did",
"value": "0"
},
{
"name": "sid",
"value": "12"
},
{
"name": "company_id",
"value": "72141072"
},
{
"name": "guest_id",
"value": "10867914892009"
},
{
"name": "status",
"value": "0"
},
{
"name": "guest_name",
"value": ""
},
{
"name": "guest_ip",
"value": "218.193.184.197"
},
{
"name": "guest_ip_info",
"value": "上海市[教育网]"
},
{
"name": "area",
"value": "上海-"
},
{
"name": "from_page",
"value": ""
},
{
"name": "talk_page",
"value": "http://shhs-coco36.yjrmss.cn/coco-nc-wap/?=7.18-APP-tw"
},
{
"name": "kf_time",
"value": "1573281168"
},
{
"name": "bto_id6d",
"value": "-99"
},
{
"name": "time",
"value": "1573281168893"
},
{
"name": "ucust_id",
"value": ""
},
{
"name": "style",
"value": "3"
},
{
"name": "is_mobile",
"value": "y"
},
{
"name": "visitor_type",
"value": "new"
},
{
"name": "is_uv",
"value": "1"
},
{
"name": "browser",
"value": "chrome"
},
{
"name": "os",
"value": "android"
},
{
"name": "is_revisit",
"value": "0"
},
{
"name": "page_title",
"value": "coco奶茶官网"
}
],
"headersSize": 731,
"bodySize": 0
},
"response_data": {
"status": 502,
"statusText": "Bad Gateway",
"httpVersion": "HTTP/1.1",
"cookies": [],
"headers": [
{
"name": "Server",
"value": "nginx"
},
{
"name": "Date",
"value": "Sat, 09 Nov 2019 06:32:49 GMT"
},
{
"name": "Content-Type",
"value": "text/html"
},
{
"name": "Content-Length",
"value": "568"
},
{
"name": "Connection",
"value": "keep-alive"
}
],
"content": {
"size": 568,
"compression": 0,
"mimeType": "text/html",
"text": "<html>\r\n<head><title>502 Bad Gateway</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>502 Bad Gateway</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n"
},
"redirectURL": "",
"headersSize": 169,
"bodySize": 568
}
}
Bug ID 7
{
"appName": "Sohu News",
"method": "GET",
"url": "http://accwww5c1.53kf.com/sendacc.jsp",
"status_code": 502,
"request": {
"method": "GET",
"url": "http://accwww5c1.53kf.com/sendacc.jsp?cmd=ACC&did=0&sid=12&company_id=72093637&guest_id=10867915190009&status=0&guest_name=&guest_ip=218.193.184.197&guest_ip_info=%E4%B8%8A%E6%B5%B7%E5%B8%82%5B%E6%95%99%E8%82%B2%E7%BD%91%5D&area=%E4%B8%8A%E6%B5%B7%2D&from_page=&talk_page=http%3A%2F%2Fshhs-ydd45x1.fmeibao.com%2Fydd-yp-wap%2F%3F%3Dxt1&kf_time=1573281184&bto_id6d=-99&time=1573281184787&ucust_id=&style=8&is_mobile=y&visitor_type=new&is_uv=1&browser=chrome&os=android&is_revisit=0&page_title=%E5%8F%B0%E5%BC%8F%E7%BD%91%E7%BA%A2%E5%A5%B6%E8%8C%B6%E5%8A%A0%E7%9B%9F%E5%AE%98%E7%BD%91",
"httpVersion": "HTTP/1.1",
"cookies": [],
"headers": [
{
"name": "Host",
"value": "accwww5c1.53kf.com"
},
{
"name": "Proxy-Connection",
"value": "keep-alive"
},
{
"name": "Accept",
"value": "*/*"
},
{
"name": "User-Agent",
"value": "Mozilla/5.0 (Linux; Android 6.0; HUAWEI MT7-CL00 Build/HuaweiMT7-CL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/49.0.2623.105 Mobile Safari/537.36 JsKit/1.0 (Android) Mozilla/5.0 (Linux; Android 6.0; HUAWEI MT7-CL00 Build/HuaweiMT7-CL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/49.0.2623.105 Mobile Safari/537.36 JsKit/1.0 (Android)/SohuNews/6.1.8 BuildCode/604"
},
{
"name": "Referer",
"value": "http://shhs-ydd45x1.fmeibao.com/ydd-yp-wap/?=xt1"
},
{
"name": "Accept-Encoding",
"value": "gzip, deflate"
},
{
"name": "Accept-Language",
"value": "zh-CN,en-US;q=0.8"
},
{
"name": "X-Requested-With",
"value": "com.sohu.newsclient"
}
],
"queryString": [
{
"name": "cmd",
"value": "ACC"
},
{
"name": "did",
"value": "0"
},
{
"name": "sid",
"value": "12"
},
{
"name": "company_id",
"value": "72093637"
},
{
"name": "guest_id",
"value": "10867915190009"
},
{
"name": "status",
"value": "0"
},
{
"name": "guest_name",
"value": ""
},
{
"name": "guest_ip",
"value": "218.193.184.197"
},
{
"name": "guest_ip_info",
"value": "上海市[教育网]"
},
{
"name": "area",
"value": "上海-"
},
{
"name": "from_page",
"value": ""
},
{
"name": "talk_page",
"value": "http://shhs-ydd45x1.fmeibao.com/ydd-yp-wap/?=xt1"
},
{
"name": "kf_time",
"value": "1573281184"
},
{
"name": "bto_id6d",
"value": "-99"
},
{
"name": "time",
"value": "1573281184787"
},
{
"name": "ucust_id",
"value": ""
},
{
"name": "style",
"value": "8"
},
{
"name": "is_mobile",
"value": "y"
},
{
"name": "visitor_type",
"value": "new"
},
{
"name": "is_uv",
"value": "1"
},
{
"name": "browser",
"value": "chrome"
},
{
"name": "os",
"value": "android"
},
{
"name": "is_revisit",
"value": "0"
},
{
"name": "page_title",
"value": "台式网红奶茶加盟官网"
}
],
"headersSize": 724,
"bodySize": 0
},
"response_data": {
"status": 502,
"statusText": "Bad Gateway",
"httpVersion": "HTTP/1.1",
"cookies": [],
"headers": [
{
"name": "Server",
"value": "openresty"
},
{
"name": "Date",
"value": "Sat, 09 Nov 2019 06:33:05 GMT"
},
{
"name": "Content-Type",
"value": "text/html"
},
{
"name": "Content-Length",
"value": "572"
},
{
"name": "Connection",
"value": "keep-alive"
}
],
"content": {
"size": 572,
"compression": 0,
"mimeType": "text/html",
"text": "<html>\r\n<head><title>502 Bad Gateway</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>502 Bad Gateway</h1></center>\r\n<hr><center>openresty</center>\r\n</body>\r\n</html>\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n"
},
"redirectURL": "",
"headersSize": 173,
"bodySize": 572
}
}