Bug 曝光台 WUBA RESTful API Bug | 58 同城 RESTful API Bug

LawisChen · 2020年05月17日 · 最后由 LawisChen 回复于 2020年05月20日 · 2150 次阅读

Recently, we found RESTful API bugs in some popular mobile applications by a fuzzing test tool:

WUBA - version: 9.1.2


近期,我们利用某模糊测试工具发现了几家大厂 App 接口存在如下 bug:

58 同城 - 版本: 9.1.2

Appendix 附录

  • Bug ID 11

    {
      "appName": "WUBA",
      "method": "POST",
      "url": "https://browserkernel.baidu.com/integration.php",
      "status_code": 502,
      "request": {
        "method": "POST",
        "url": "https://browserkernel.baidu.com/integration.php",
        "httpVersion": "HTTP/1.1",
        "cookies": [],
        "headers": [
          {
            "name": "Content-length",
            "value": "3453"
          },
          {
            "name": "accept-encoding",
            "value": "gzip,deflate"
          },
          {
            "name": "Content-Type",
            "value": "application/x-www-form-urlencoded"
          },
          {
            "name": "User-Agent",
            "value": "Dalvik/2.1.0 (Linux; U; Android 6.0; HUAWEI MT7-CL00 Build/HuaweiMT7-CL00)"
          },
          {
            "name": "Host",
            "value": "browserkernel.baidu.com"
          },
          {
            "name": "Connection",
            "value": "Keep-Alive"
          }
        ],
        "queryString": [],
        "headersSize": 300,
        "bodySize": 3453,
        "postData": {
          "mimeType": "application/x-www-form-urlencoded",
          "text": "[{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/evilpage\\/evilpage_whiteblack_list.dat?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1561708951},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/stopwords.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/diting20.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1568725149},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/sailor\\/monitorconfig?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1557217912},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/diting_max_force_checked_list.dat?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1572351763},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/traffic\\/page_traffic_config.json?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/fakeBaidu26.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/phoenix_opt.dat?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1563966326},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/ditingPlus.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1572608394},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/newpac31\\/videoproxy.conf.txt\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/pac-version2.0\\/spdy.conf.txt?ProxyType=SPDYANDOVERSEAS_PROXY&SdkVer=9.20.2.16\",\"last_modified\":1562745518},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/evilPage16.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1568203355},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/ditingMax.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1573129057},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/magicfilter.js?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1569469246},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/magicfilterv2_white_list.dat?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1568980277},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/adblock_quick_filter.js?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1562932245},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/adblock.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1572869396},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/magicFilter30.conf_v1?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1567071596},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/pac-version2.0\\/spdy.conf.txt?ProxyType=SPDYANDOVERSEAS_PROXY&SdkVer=9.20.2.16&mianliu=true\",\"last_modified\":1547541420}]",
          "params": [
            {
              "name": "[{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/evilpage\\/evilpage_whiteblack_list.dat?zeus_ver",
              "value": "9.20.2.16"
            },
            {
              "name": "sdk",
              "value": "9.20.2.16"
            },
            {
              "name": "app",
              "value": "com.baidu.searchbox"
            },
            {
              "name": "appversion",
              "value": "11.15.0.12"
            },
            {
              "name": "\",\"last_modified\":1561708951},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/stopwords.pb?zeus_ver",
              "value": "9.20.2.16"
            },
            {
              "name": "sdk",
              "value": "9.20.2.16"
            },
            {
              "name": "app",
              "value": "com.baidu.searchbox"
            },
            {
              "name": "appversion",
              "value": "11.15.0.12"
            },
            {
              "name": "\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/diting20.pb?zeus_ver",
              "value": "9.20.2.16"
            },
            {
              "name": "sdk",
              "value": "9.20.2.16"
            },
            {
              "name": "app",
              "value": "com.baidu.searchbox"
            },
            {
              "name": "appversion",
              "value": "11.15.0.12"
            },
            {
              "name": "\",\"last_modified\":1568725149},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/sailor\\/monitorconfig?zeus_ver",
              "value": "9.20.2.16"
            },
            {
              "name": "sdk",
              "value": "9.20.2.16"
            },
            {
              "name": "app",
              "value": "com.baidu.searchbox"
            },
            {
              "name": "appversion",
              "value": "11.15.0.12"
            },
            {
              "name": "\",\"last_modified\":1557217912},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/diting_max_force_checked_list.dat?zeus_ver",
              "value": "9.20.2.16"
            },
            {
              "name": "sdk",
              "value": "9.20.2.16"
            },
            {
              "name": "app",
              "value": "com.baidu.searchbox"
            },
            {
              "name": "appversion",
              "value": "11.15.0.12"
            },
            {
              "name": "\",\"last_modified\":1572351763},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/traffic\\/page_traffic_config.json?zeus_ver",
              "value": "9.20.2.16"
            },
            {
              "name": "sdk",
              "value": "9.20.2.16"
            },
            {
              "name": "app",
              "value": "com.baidu.searchbox"
            },
            {
              "name": "appversion",
              "value": "11.15.0.12"
            },
            {
              "name": "\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/fakeBaidu26.pb?zeus_ver",
              "value": "9.20.2.16"
            },
            {
              "name": "sdk",
              "value": "9.20.2.16"
            },
            {
              "name": "app",
              "value": "com.baidu.searchbox"
            },
            {
              "name": "appversion",
              "value": "11.15.0.12"
            },
            {
              "name": "\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/phoenix_opt.dat?zeus_ver",
              "value": "9.20.2.16"
            },
            {
              "name": "sdk",
              "value": "9.20.2.16"
            },
            {
              "name": "app",
              "value": "com.baidu.searchbox"
            },
            {
              "name": "appversion",
              "value": "11.15.0.12"
            },
            {
              "name": "\",\"last_modified\":1563966326},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/ditingPlus.pb?zeus_ver",
              "value": "9.20.2.16"
            },
            {
              "name": "sdk",
              "value": "9.20.2.16"
            },
            {
              "name": "app",
              "value": "com.baidu.searchbox"
            },
            {
              "name": "appversion",
              "value": "11.15.0.12"
            },
            {
              "name": "\",\"last_modified\":1572608394},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/newpac31\\/videoproxy.conf.txt\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/pac-version2.0\\/spdy.conf.txt?ProxyType",
              "value": "SPDYANDOVERSEAS_PROXY"
            },
            {
              "name": "SdkVer",
              "value": "9.20.2.16\",\"last_modified\":1562745518},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/evilPage16.pb?zeus_ver=9.20.2.16"
            },
            {
              "name": "sdk",
              "value": "9.20.2.16"
            },
            {
              "name": "app",
              "value": "com.baidu.searchbox"
            },
            {
              "name": "appversion",
              "value": "11.15.0.12"
            },
            {
              "name": "\",\"last_modified\":1568203355},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/ditingMax.pb?zeus_ver",
              "value": "9.20.2.16"
            },
            {
              "name": "sdk",
              "value": "9.20.2.16"
            },
            {
              "name": "app",
              "value": "com.baidu.searchbox"
            },
            {
              "name": "appversion",
              "value": "11.15.0.12"
            },
            {
              "name": "\",\"last_modified\":1573129057},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/magicfilter.js?zeus_ver",
              "value": "9.20.2.16"
            },
            {
              "name": "sdk",
              "value": "9.20.2.16"
            },
            {
              "name": "app",
              "value": "com.baidu.searchbox"
            },
            {
              "name": "appversion",
              "value": "11.15.0.12"
            },
            {
              "name": "\",\"last_modified\":1569469246},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/magicfilterv2_white_list.dat?zeus_ver",
              "value": "9.20.2.16"
            },
            {
              "name": "sdk",
              "value": "9.20.2.16"
            },
            {
              "name": "app",
              "value": "com.baidu.searchbox"
            },
            {
              "name": "appversion",
              "value": "11.15.0.12"
            },
            {
              "name": "\",\"last_modified\":1568980277},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/adblock_quick_filter.js?zeus_ver",
              "value": "9.20.2.16"
            },
            {
              "name": "sdk",
              "value": "9.20.2.16"
            },
            {
              "name": "app",
              "value": "com.baidu.searchbox"
            },
            {
              "name": "appversion",
              "value": "11.15.0.12"
            },
            {
              "name": "\",\"last_modified\":1562932245},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/adblock.pb?zeus_ver",
              "value": "9.20.2.16"
            },
            {
              "name": "sdk",
              "value": "9.20.2.16"
            },
            {
              "name": "app",
              "value": "com.baidu.searchbox"
            },
            {
              "name": "appversion",
              "value": "11.15.0.12"
            },
            {
              "name": "\",\"last_modified\":1572869396},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/magicFilter30.conf_v1?zeus_ver",
              "value": "9.20.2.16"
            },
            {
              "name": "sdk",
              "value": "9.20.2.16"
            },
            {
              "name": "app",
              "value": "com.baidu.searchbox"
            },
            {
              "name": "appversion",
              "value": "11.15.0.12"
            },
            {
              "name": "\",\"last_modified\":1567071596},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/pac-version2.0\\/spdy.conf.txt?ProxyType",
              "value": "SPDYANDOVERSEAS_PROXY"
            },
            {
              "name": "SdkVer",
              "value": "9.20.2.16"
            },
            {
              "name": "mianliu",
              "value": "true\",\"last_modified\":1547541420}]"
            }
          ]
        }
      },
      "response_data": {
        "status": 502,
        "statusText": "Bad Gateway",
        "httpVersion": "HTTP/1.1",
        "cookies": [],
        "headers": [
          {
            "name": "Connection",
            "value": "keep-alive"
          },
          {
            "name": "Content-Length",
            "value": "537"
          },
          {
            "name": "Content-Type",
            "value": "text/html"
          },
          {
            "name": "Date",
            "value": "Fri, 08 Nov 2019 18:17:37 GMT"
          },
          {
            "name": "Etag",
            "value": "\"57d255e7-219\""
          },
          {
            "name": "Server",
            "value": "nginx"
          }
        ],
        "content": {
          "size": 537,
          "compression": 0,
          "mimeType": "text/html",
          "text": "<!DOCTYPE html>\n<html>\n<head>\n<title>Error</title>\n<style>\n    body {\n        width: 35em;\n        margin: 0 auto;\n        font-family: Tahoma, Verdana, Arial, sans-serif;\n    }\n</style>\n</head>\n<body>\n<h1>An error occurred.</h1>\n<p>Sorry, the page you are looking for is currently unavailable.<br/>\nPlease try again later.</p>\n<p>If you are the system administrator of this resource then you should check\nthe <a href=\"http://nginx.org/r/error_log\">error log</a> for details.</p>\n<p><em>Faithfully yours, nginx.</em></p>\n</body>\n</html>\n"
        },
        "redirectURL": "",
        "headersSize": 199,
        "bodySize": 537
      }
    }
    
共收到 3 条回复 时间 点赞

什么情况下触发的 the page you are looking for is currently unavailable?

chennian 回复

这是通过自动化 API 测试触发的,用附录中 request 里面的参数值请求 POST https://browserkernel.baidu.com/integration.php 这个接口就报 502

chennian 回复

这个报错的接口是从前端 APP 里面抓取的,但是请求和参数是由测试工具直接发给服务端的。
您是 58 同城的开发人员吗?建议你们排查一下,我们认为这个 bug 是由服务端或者第三方 SDK 引起的。

需要 登录 后方可回复, 如果你还没有账号请点击这里 注册