Bug 曝光台 Tuniu RESTful API Bug | 途牛 RESTful API Bug

LawisChen · 2020年05月17日 · 979 次阅读

Recently, we found RESTful API bugs in some popular mobile applications by a fuzzing test tool:

Tuniu - version: 10.19.0


近期,我们利用某模糊测试工具发现了几家大厂 App 接口存在如下 bug:

途牛 - 版本: 10.19.0

Appendix 附录

  • Bug ID 10

    {
      "appName": "Tuniu",
      "method": "GET",
      "url": "https://api.tuniu.com/newcomer/home/vip/recommend",
      "status_code": 500,
      "request": {
        "c": {
          "cc": 2500,
          "ct": 20,
          "dt": 1,
          "ov": 20,
          "p": 10716,
          "v": "10.19.0"
        }
      },
      "response_data": "Request processing failed; nested exception is com.alibaba.fastjson.JSONException: syntax error, expect {, actual error, pos 0, fastjson-version 1.2.60\n org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:978)\n org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:868)\n javax.servlet.http.HttpServlet.service(HttpServlet.java:648)\n org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:842)\n javax.servlet.http.HttpServlet.service(HttpServlet.java:729)\n org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)\n org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)\n org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n com.tuniu.cmt.newcomer.Swagger2SpringBoot$SwaggerApiPrivateIpOnlyFilter.doFilterInternal(Swagger2SpringBoot.java:287)\n org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n com.tuniu.mob.boot.http.autoconfigure.ContentTypeFilter.doFilterInternal(ContentTypeFilter.java:36)\n org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n com.tuniu.mob.boot.tsp.TspInterceptor.doFilter(TspInterceptor.java:74)\n com.tuniu.mob.boot.tsp.TspInterceptor.invoke(TspInterceptor.java:37)\n org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)\n org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:653)\n com.tuniu.operation.platform.tsg.base.filter.FrameWorkFilter$$EnhancerBySpringCGLIB$$a070d4f.doFilter(<generated>)\n org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85)\n org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)\n org.springframework.boot.context.web.ErrorPageFilter.doFilter(ErrorPageFilter.java:106)\n org.springframework.boot.context.web.ErrorPageFilter.forwardToErrorPage(ErrorPageFilter.java:178)\n org.springframework.boot.context.web.ErrorPageFilter.handleException(ErrorPageFilter.java:161)\n org.springframework.boot.context.web.ErrorPageFilter.doFilter(ErrorPageFilter.java:124)\n org.springframework.boot.context.web.ErrorPageFilter.access$000(ErrorPageFilter.java:59)\n org.springframework.boot.context.web.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:88)\n org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n org.springframework.boot.context.web.ErrorPageFilter.doFilter(ErrorPageFilter.java:106)"
    }
    
暂无回复。
需要 登录 后方可回复, 如果你还没有账号请点击这里 注册