Bug 曝光台 WUBA RESTful API Bug | 58 同城 RESTful API Bug

LawisChen · May 17, 2020 · Last by LawisChen replied at May 20, 2020 · 1843 hits

Recently, we found RESTful API bugs in some popular mobile applications by a fuzzing test tool:

WUBA - version: 9.1.2


近期,我们利用某模糊测试工具发现了几家大厂App接口存在如下bug:

58同城 - 版本: 9.1.2

Appendix 附录

  • Bug ID 11

    {
    "appName": "WUBA",
    "method": "POST",
    "url": "https://browserkernel.baidu.com/integration.php",
    "status_code": 502,
    "request": {
    "method": "POST",
    "url": "https://browserkernel.baidu.com/integration.php",
    "httpVersion": "HTTP/1.1",
    "cookies": [],
    "headers": [
    {
    "name": "Content-length",
    "value": "3453"
    },
    {
    "name": "accept-encoding",
    "value": "gzip,deflate"
    },
    {
    "name": "Content-Type",
    "value": "application/x-www-form-urlencoded"
    },
    {
    "name": "User-Agent",
    "value": "Dalvik/2.1.0 (Linux; U; Android 6.0; HUAWEI MT7-CL00 Build/HuaweiMT7-CL00)"
    },
    {
    "name": "Host",
    "value": "browserkernel.baidu.com"
    },
    {
    "name": "Connection",
    "value": "Keep-Alive"
    }
    ],
    "queryString": [],
    "headersSize": 300,
    "bodySize": 3453,
    "postData": {
    "mimeType": "application/x-www-form-urlencoded",
    "text": "[{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/evilpage\\/evilpage_whiteblack_list.dat?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1561708951},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/stopwords.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/diting20.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1568725149},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/sailor\\/monitorconfig?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1557217912},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/diting_max_force_checked_list.dat?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1572351763},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/traffic\\/page_traffic_config.json?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/fakeBaidu26.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/phoenix_opt.dat?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1563966326},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/ditingPlus.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1572608394},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/newpac31\\/videoproxy.conf.txt\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/pac-version2.0\\/spdy.conf.txt?ProxyType=SPDYANDOVERSEAS_PROXY&SdkVer=9.20.2.16\",\"last_modified\":1562745518},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/evilPage16.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1568203355},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/ditingMax.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1573129057},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/magicfilter.js?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1569469246},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/magicfilterv2_white_list.dat?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1568980277},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/adblock_quick_filter.js?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1562932245},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/adblock.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1572869396},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/magicFilter30.conf_v1?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1567071596},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/pac-version2.0\\/spdy.conf.txt?ProxyType=SPDYANDOVERSEAS_PROXY&SdkVer=9.20.2.16&mianliu=true\",\"last_modified\":1547541420}]",
    "params": [
    {
    "name": "[{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/evilpage\\/evilpage_whiteblack_list.dat?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1561708951},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/stopwords.pb?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/diting20.pb?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1568725149},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/sailor\\/monitorconfig?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1557217912},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/diting_max_force_checked_list.dat?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1572351763},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/traffic\\/page_traffic_config.json?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/fakeBaidu26.pb?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/phoenix_opt.dat?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1563966326},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/ditingPlus.pb?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1572608394},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/newpac31\\/videoproxy.conf.txt\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/pac-version2.0\\/spdy.conf.txt?ProxyType",
    "value": "SPDYANDOVERSEAS_PROXY"
    },
    {
    "name": "SdkVer",
    "value": "9.20.2.16\",\"last_modified\":1562745518},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/evilPage16.pb?zeus_ver=9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1568203355},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/ditingMax.pb?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1573129057},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/magicfilter.js?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1569469246},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/magicfilterv2_white_list.dat?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1568980277},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/adblock_quick_filter.js?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1562932245},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/adblock.pb?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1572869396},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/magicFilter30.conf_v1?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1567071596},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/pac-version2.0\\/spdy.conf.txt?ProxyType",
    "value": "SPDYANDOVERSEAS_PROXY"
    },
    {
    "name": "SdkVer",
    "value": "9.20.2.16"
    },
    {
    "name": "mianliu",
    "value": "true\",\"last_modified\":1547541420}]"
    }
    ]
    }
    },
    "response_data": {
    "status": 502,
    "statusText": "Bad Gateway",
    "httpVersion": "HTTP/1.1",
    "cookies": [],
    "headers": [
    {
    "name": "Connection",
    "value": "keep-alive"
    },
    {
    "name": "Content-Length",
    "value": "537"
    },
    {
    "name": "Content-Type",
    "value": "text/html"
    },
    {
    "name": "Date",
    "value": "Fri, 08 Nov 2019 18:17:37 GMT"
    },
    {
    "name": "Etag",
    "value": "\"57d255e7-219\""
    },
    {
    "name": "Server",
    "value": "nginx"
    }
    ],
    "content": {
    "size": 537,
    "compression": 0,
    "mimeType": "text/html",
    "text": "<!DOCTYPE html>\n<html>\n<head>\n<title>Error</title>\n<style>\n body {\n width: 35em;\n margin: 0 auto;\n font-family: Tahoma, Verdana, Arial, sans-serif;\n }\n</style>\n</head>\n<body>\n<h1>An error occurred.</h1>\n<p>Sorry, the page you are looking for is currently unavailable.<br/>\nPlease try again later.</p>\n<p>If you are the system administrator of this resource then you should check\nthe <a href=\"http://nginx.org/r/error_log\">error log</a> for details.</p>\n<p><em>Faithfully yours, nginx.</em></p>\n</body>\n</html>\n"
    },
    "redirectURL": "",
    "headersSize": 199,
    "bodySize": 537
    }
    }
共收到 3 条回复 时间 点赞

什么情况下触发的the page you are looking for is currently unavailable?

LawisChen #2 · May 19, 2020 作者
chennian 回复

这是通过自动化API测试触发的,用附录中request里面的参数值请求 POST https://browserkernel.baidu.com/integration.php 这个接口就报502

LawisChen #3 · May 20, 2020 作者
chennian 回复

这个报错的接口是从前端APP里面抓取的,但是请求和参数是由测试工具直接发给服务端的。
您是58同城的开发人员吗?建议你们排查一下,我们认为这个bug是由服务端或者第三方SDK引起的。

需要 Sign In 后方可回复, 如果你还没有账号请点击这里 Sign Up