Recently, we found RESTful API bugs in some popular mobile applications by a fuzzing test tool:
Bug ID 11
API: POST https://browserkernel.baidu.com/integration.php
we get the status code of 502
see detailed information in the appendix -> Bug ID 11
近期,我们利用某模糊测试工具发现了几家大厂 App 接口存在如下 bug:
Bug ID 11
接口: POST https://browserkernel.baidu.com/integration.php
报 502
具体报文见附录 -> Bug ID 11
Bug ID 11
{
"appName": "WUBA",
"method": "POST",
"url": "https://browserkernel.baidu.com/integration.php",
"status_code": 502,
"request": {
"method": "POST",
"url": "https://browserkernel.baidu.com/integration.php",
"httpVersion": "HTTP/1.1",
"cookies": [],
"headers": [
{
"name": "Content-length",
"value": "3453"
},
{
"name": "accept-encoding",
"value": "gzip,deflate"
},
{
"name": "Content-Type",
"value": "application/x-www-form-urlencoded"
},
{
"name": "User-Agent",
"value": "Dalvik/2.1.0 (Linux; U; Android 6.0; HUAWEI MT7-CL00 Build/HuaweiMT7-CL00)"
},
{
"name": "Host",
"value": "browserkernel.baidu.com"
},
{
"name": "Connection",
"value": "Keep-Alive"
}
],
"queryString": [],
"headersSize": 300,
"bodySize": 3453,
"postData": {
"mimeType": "application/x-www-form-urlencoded",
"text": "[{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/evilpage\\/evilpage_whiteblack_list.dat?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1561708951},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/stopwords.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/diting20.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1568725149},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/sailor\\/monitorconfig?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1557217912},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/diting_max_force_checked_list.dat?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1572351763},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/traffic\\/page_traffic_config.json?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/fakeBaidu26.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/phoenix_opt.dat?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1563966326},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/ditingPlus.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1572608394},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/newpac31\\/videoproxy.conf.txt\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/pac-version2.0\\/spdy.conf.txt?ProxyType=SPDYANDOVERSEAS_PROXY&SdkVer=9.20.2.16\",\"last_modified\":1562745518},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/evilPage16.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1568203355},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/ditingMax.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1573129057},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/magicfilter.js?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1569469246},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/magicfilterv2_white_list.dat?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1568980277},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/adblock_quick_filter.js?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1562932245},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/adblock.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1572869396},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/magicFilter30.conf_v1?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1567071596},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/pac-version2.0\\/spdy.conf.txt?ProxyType=SPDYANDOVERSEAS_PROXY&SdkVer=9.20.2.16&mianliu=true\",\"last_modified\":1547541420}]",
"params": [
{
"name": "[{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/evilpage\\/evilpage_whiteblack_list.dat?zeus_ver",
"value": "9.20.2.16"
},
{
"name": "sdk",
"value": "9.20.2.16"
},
{
"name": "app",
"value": "com.baidu.searchbox"
},
{
"name": "appversion",
"value": "11.15.0.12"
},
{
"name": "\",\"last_modified\":1561708951},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/stopwords.pb?zeus_ver",
"value": "9.20.2.16"
},
{
"name": "sdk",
"value": "9.20.2.16"
},
{
"name": "app",
"value": "com.baidu.searchbox"
},
{
"name": "appversion",
"value": "11.15.0.12"
},
{
"name": "\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/diting20.pb?zeus_ver",
"value": "9.20.2.16"
},
{
"name": "sdk",
"value": "9.20.2.16"
},
{
"name": "app",
"value": "com.baidu.searchbox"
},
{
"name": "appversion",
"value": "11.15.0.12"
},
{
"name": "\",\"last_modified\":1568725149},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/sailor\\/monitorconfig?zeus_ver",
"value": "9.20.2.16"
},
{
"name": "sdk",
"value": "9.20.2.16"
},
{
"name": "app",
"value": "com.baidu.searchbox"
},
{
"name": "appversion",
"value": "11.15.0.12"
},
{
"name": "\",\"last_modified\":1557217912},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/diting_max_force_checked_list.dat?zeus_ver",
"value": "9.20.2.16"
},
{
"name": "sdk",
"value": "9.20.2.16"
},
{
"name": "app",
"value": "com.baidu.searchbox"
},
{
"name": "appversion",
"value": "11.15.0.12"
},
{
"name": "\",\"last_modified\":1572351763},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/traffic\\/page_traffic_config.json?zeus_ver",
"value": "9.20.2.16"
},
{
"name": "sdk",
"value": "9.20.2.16"
},
{
"name": "app",
"value": "com.baidu.searchbox"
},
{
"name": "appversion",
"value": "11.15.0.12"
},
{
"name": "\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/fakeBaidu26.pb?zeus_ver",
"value": "9.20.2.16"
},
{
"name": "sdk",
"value": "9.20.2.16"
},
{
"name": "app",
"value": "com.baidu.searchbox"
},
{
"name": "appversion",
"value": "11.15.0.12"
},
{
"name": "\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/phoenix_opt.dat?zeus_ver",
"value": "9.20.2.16"
},
{
"name": "sdk",
"value": "9.20.2.16"
},
{
"name": "app",
"value": "com.baidu.searchbox"
},
{
"name": "appversion",
"value": "11.15.0.12"
},
{
"name": "\",\"last_modified\":1563966326},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/ditingPlus.pb?zeus_ver",
"value": "9.20.2.16"
},
{
"name": "sdk",
"value": "9.20.2.16"
},
{
"name": "app",
"value": "com.baidu.searchbox"
},
{
"name": "appversion",
"value": "11.15.0.12"
},
{
"name": "\",\"last_modified\":1572608394},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/newpac31\\/videoproxy.conf.txt\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/pac-version2.0\\/spdy.conf.txt?ProxyType",
"value": "SPDYANDOVERSEAS_PROXY"
},
{
"name": "SdkVer",
"value": "9.20.2.16\",\"last_modified\":1562745518},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/evilPage16.pb?zeus_ver=9.20.2.16"
},
{
"name": "sdk",
"value": "9.20.2.16"
},
{
"name": "app",
"value": "com.baidu.searchbox"
},
{
"name": "appversion",
"value": "11.15.0.12"
},
{
"name": "\",\"last_modified\":1568203355},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/ditingMax.pb?zeus_ver",
"value": "9.20.2.16"
},
{
"name": "sdk",
"value": "9.20.2.16"
},
{
"name": "app",
"value": "com.baidu.searchbox"
},
{
"name": "appversion",
"value": "11.15.0.12"
},
{
"name": "\",\"last_modified\":1573129057},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/magicfilter.js?zeus_ver",
"value": "9.20.2.16"
},
{
"name": "sdk",
"value": "9.20.2.16"
},
{
"name": "app",
"value": "com.baidu.searchbox"
},
{
"name": "appversion",
"value": "11.15.0.12"
},
{
"name": "\",\"last_modified\":1569469246},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/magicfilterv2_white_list.dat?zeus_ver",
"value": "9.20.2.16"
},
{
"name": "sdk",
"value": "9.20.2.16"
},
{
"name": "app",
"value": "com.baidu.searchbox"
},
{
"name": "appversion",
"value": "11.15.0.12"
},
{
"name": "\",\"last_modified\":1568980277},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/adblock_quick_filter.js?zeus_ver",
"value": "9.20.2.16"
},
{
"name": "sdk",
"value": "9.20.2.16"
},
{
"name": "app",
"value": "com.baidu.searchbox"
},
{
"name": "appversion",
"value": "11.15.0.12"
},
{
"name": "\",\"last_modified\":1562932245},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/adblock.pb?zeus_ver",
"value": "9.20.2.16"
},
{
"name": "sdk",
"value": "9.20.2.16"
},
{
"name": "app",
"value": "com.baidu.searchbox"
},
{
"name": "appversion",
"value": "11.15.0.12"
},
{
"name": "\",\"last_modified\":1572869396},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/magicFilter30.conf_v1?zeus_ver",
"value": "9.20.2.16"
},
{
"name": "sdk",
"value": "9.20.2.16"
},
{
"name": "app",
"value": "com.baidu.searchbox"
},
{
"name": "appversion",
"value": "11.15.0.12"
},
{
"name": "\",\"last_modified\":1567071596},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/pac-version2.0\\/spdy.conf.txt?ProxyType",
"value": "SPDYANDOVERSEAS_PROXY"
},
{
"name": "SdkVer",
"value": "9.20.2.16"
},
{
"name": "mianliu",
"value": "true\",\"last_modified\":1547541420}]"
}
]
}
},
"response_data": {
"status": 502,
"statusText": "Bad Gateway",
"httpVersion": "HTTP/1.1",
"cookies": [],
"headers": [
{
"name": "Connection",
"value": "keep-alive"
},
{
"name": "Content-Length",
"value": "537"
},
{
"name": "Content-Type",
"value": "text/html"
},
{
"name": "Date",
"value": "Fri, 08 Nov 2019 18:17:37 GMT"
},
{
"name": "Etag",
"value": "\"57d255e7-219\""
},
{
"name": "Server",
"value": "nginx"
}
],
"content": {
"size": 537,
"compression": 0,
"mimeType": "text/html",
"text": "<!DOCTYPE html>\n<html>\n<head>\n<title>Error</title>\n<style>\n body {\n width: 35em;\n margin: 0 auto;\n font-family: Tahoma, Verdana, Arial, sans-serif;\n }\n</style>\n</head>\n<body>\n<h1>An error occurred.</h1>\n<p>Sorry, the page you are looking for is currently unavailable.<br/>\nPlease try again later.</p>\n<p>If you are the system administrator of this resource then you should check\nthe <a href=\"http://nginx.org/r/error_log\">error log</a> for details.</p>\n<p><em>Faithfully yours, nginx.</em></p>\n</body>\n</html>\n"
},
"redirectURL": "",
"headersSize": 199,
"bodySize": 537
}
}