Recently, we found RESTful API bugs in some popular mobile applications by a fuzzing test tool:
Bug ID 10
API: GET https://api.tuniu.com/newcomer/home/vip/recommend
we get the status code of 500
see detailed information in the appendix -> Bug ID 10
近期,我们利用某模糊测试工具发现了几家大厂 App 接口存在如下 bug:
Bug ID 10
接口: GET https://api.tuniu.com/newcomer/home/vip/recommend
报 500
具体报文见附录 -> Bug ID 10
Bug ID 10
{
"appName": "Tuniu",
"method": "GET",
"url": "https://api.tuniu.com/newcomer/home/vip/recommend",
"status_code": 500,
"request": {
"c": {
"cc": 2500,
"ct": 20,
"dt": 1,
"ov": 20,
"p": 10716,
"v": "10.19.0"
}
},
"response_data": "Request processing failed; nested exception is com.alibaba.fastjson.JSONException: syntax error, expect {, actual error, pos 0, fastjson-version 1.2.60\n org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:978)\n org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:868)\n javax.servlet.http.HttpServlet.service(HttpServlet.java:648)\n org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:842)\n javax.servlet.http.HttpServlet.service(HttpServlet.java:729)\n org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)\n org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)\n org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n com.tuniu.cmt.newcomer.Swagger2SpringBoot$SwaggerApiPrivateIpOnlyFilter.doFilterInternal(Swagger2SpringBoot.java:287)\n org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n com.tuniu.mob.boot.http.autoconfigure.ContentTypeFilter.doFilterInternal(ContentTypeFilter.java:36)\n org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n com.tuniu.mob.boot.tsp.TspInterceptor.doFilter(TspInterceptor.java:74)\n com.tuniu.mob.boot.tsp.TspInterceptor.invoke(TspInterceptor.java:37)\n org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)\n org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:653)\n com.tuniu.operation.platform.tsg.base.filter.FrameWorkFilter$$EnhancerBySpringCGLIB$$a070d4f.doFilter(<generated>)\n org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85)\n org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)\n org.springframework.boot.context.web.ErrorPageFilter.doFilter(ErrorPageFilter.java:106)\n org.springframework.boot.context.web.ErrorPageFilter.forwardToErrorPage(ErrorPageFilter.java:178)\n org.springframework.boot.context.web.ErrorPageFilter.handleException(ErrorPageFilter.java:161)\n org.springframework.boot.context.web.ErrorPageFilter.doFilter(ErrorPageFilter.java:124)\n org.springframework.boot.context.web.ErrorPageFilter.access$000(ErrorPageFilter.java:59)\n org.springframework.boot.context.web.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:88)\n org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\n org.springframework.boot.context.web.ErrorPageFilter.doFilter(ErrorPageFilter.java:106)"
}