How to discover the safe flaw of Web App Yummy Days? (turn)

How to discover the safe flaw of Web App Yummy Days? (turn)

Regard the development that Web of a finance uses as personnel, I pay close attention to safe problem particularly all the time. In two years of in the past, a few Web that I participate in apply before entering manufacturing mode, can pass comprehensive and strict safe inspection, in order to ensure they use the security after in complete investment.

In this experience, also let me acquire a lot of knowledge – about safety to be like identity test and verify, potential risk requests, infuse is waited a moment – and how to design more safe application program.

Safety is my passionate place, and another kind of passion that eating is me. Lunch time is me a day in most one of enjoyment hour. El Tenedor (in Spain) / The Fork is the most convenient application order that books dining room, include a lot of rebates among them, can help me save next not little money.

In the article, my general reveals I am the safe flaw that how discovers Web App Yummy Days to you, and how compose proposes a simple automatic client end, let me win the award of Yummy Days sales promotion.

Attention: Certain part may need you to have certain technical knowledge to undertake understanding in article.

The Yummy Days

To those unfamiliar for the person, the Yummy Days is the sales promotion activity of a week of a by a definite date, want you to keep consistent in daily game only, you can win an award that is as high as 120 €?to take Ums of bald Ting of muching make one's rounds, the account that these award will be added to you is exchangeable discount (1000 Yums is equivalent to dining-room Zhang sheet the discount of 10 euro) .

After sales promotion activity begins, an activity Banner can see on The Fork App. The interface after opening is shown as follows:

How to discover the safe flaw of Web App Yummy Days? (turn)

Want to participate in game, you need to offer your email, in order to get game qualification, click next " PLAY " pushbutton. When referring this to express sheet, you must want to click pushbutton to ability touchs hair animation and examined you to whether win award.

How to discover the safe flaw of Web App Yummy Days? (turn)

You can play everyday, play 7 days continuously, will win award.

If you are enough lucky, you can take out a Yum from inside salad, this shows you won award, you will obtain a code to be able to be booked in the next in use, yums can be added to your account. Conversely, the lettuce that you can take out purple from inside salad (or the thing of other purple) , this states you do not have a lieutenant general.

I played this game 34 days, got probably 300 Yums!

How to discover the safe flaw of Web App Yummy Days? (turn)

To expressing the reflection of sheet

With respect to the last day in Yummy Days, notice and think what enquire the watch sheet of my email address caused me inadvertently. Sales promotion page is to be in some kind embedded open in the browser, I can see the URL that visitting easily (conceal in on in the graph) .

I am very curious, so I opened an URL on my computer, enabled cereal song browser and option of its developer tool among them, in order to record all requests in my the last game in Yummy Days sales promotion.

How to discover the safe flaw of Web App Yummy Days? (turn)

Very unfortunate, but I can analyse request daily record, with knowing the thing that produces in daily game. It seems that user interface is issueing a request to Restful API server, so I was saved request and answer, I try to use my email address again, I am weighed directional the clew page that went to to say I had played game.

Somebody may think this is not a serious problem, because, this needs our hand to move fill in address of email of a random, accept sales promotion condition, code is saved below lucky circumstance, repeat whole process repeatedly. Although this individual can win a few award, but this too won't big to the result generation of sales promotion impact, but if I repeat this process automation in per sec. ?

Automation is carried out

The method that a lot of differ can be moved with coming from change this course, but what I like most is Postman. Postman is end of a client, it allows us to issue HTTP request to API, request around to implement code part in every.

How to discover the safe flaw of Web App Yummy Days? (turn)

All requests in the game process that before are you still written down, my use Google Chrome Developer Tools records? We are about to use these requests now. For this, the gather that I founded to include 3 requests (Get Cookies, fill Form and Play) .

The first requests Get Cookies, it is the HTTP GET Url request to Yummy Dayspage. In Test option card, you can place a paragraph of code that will implement after the request, I installed variable of two Postman environment, include the cost that answers two accessary Cookie among them, in be located in Set-Cookie Header, period of efficacy is request hind 15 minutes.

How to discover the safe flaw of Web App Yummy Days? (turn)

In Fill Form of the 2nd request, I think duplicate watch sheet is referred, namely HTTP POST arrives Url. I founded simple request script beforehand, a code that implements before the request, the environment that is used at installing an email address that makes randomly is variable.

How to discover the safe flaw of Web App Yummy Days? (turn)

I still used this generated email to install the JSON Body of POST, following place show:

How to discover the safe flaw of Web App Yummy Days? (turn)

Try to return 500 condition to pile up for the first time (in-house server mistake) , show this request has a few problems. Examine the request of the record in Google Chrome, two Cookie that store before my general and other Cookie are installed together for Header, answer a code this for 200, too marvellous!

How to discover the safe flaw of Web App Yummy Days? (turn)

It is finally in Play request, my general is duplicate the behavior that hits hair animation button, whether to win award in order to check you. This is the simple GET to URL, of a request identical and heading.

I added a Test, whether to already win award in order to check, filter the attempt does not have any award or reduplicative email address. If there is award in this attempt, the response that requests to this controls the record Taichun in Postman.

How to discover the safe flaw of Web App Yummy Days? (turn)

I already collected 3 executable requests, so that use address of email of a random to play game, accordingly I can be in N second this request is executed in the iteration that carry out.

How to discover the safe flaw of Web App Yummy Days? (turn)

Use Collection Runner, I ran 100 times game, but do not have bear the palm, so I decide to try more iteration times, can see the test of a Playrequest is passed, and the following JSON is recorded arrived console, express this bright I won award!

{" Id " : 16490, "Code " : "****** " , / / Code Has Been Hidden " Date_to_win " : "06 – of 2018 – 10 17:36:56 " , "Type " : "300 " , / / 300 Yums Price " Value " : 5, "User_id " : 217467, "Country_id " : 1, "Created_at " : Null, "Updated_at " : "06 – of 2018 – 10 17:36:57 " }

To this, I had proved I can get the sales promotion award of Yummy Days automatically, this is it seems that be based on time and country (can see through Date_to_win and Country_id attribute) , the result that affects sales promotion badly (Updated_at and Date_to_win differred only one second! ) .

Is angel diabolical still?

How to discover the safe flaw of Web App Yummy Days? (turn)

Imagine " evil " setting:

What to if am I uninterrupted during sales promotion,carry out these requests to you can happen? What can if I am all countries to execute these requests,you produce again?

Want me to be willing only, my general can win award of many Yummy Days sales promotion.

Additional, what I need to know is whether it can is opposite a large number of requests that come from same IP have some kind of restriction. Devil always is greedy, I founded a simple script, use Newman runs derived Postman Collection indefinitely in Shell circularly:

While True; Do Newman Run TheForkYummyDays.postman_collection.json; Done

I carried out near 45 minutes uninterruptedly, but was not prevented by the server. In this paragraph of time, I won 35 award in all, 300 Yums, include a Yums of 1000 and a Yums of 2000 among them.

At this moment in me the angel of right shoulder begins to remind me, persuade me to let me stop, now is the message that moment notices to The Fork concerns leak. I sent an email to them, include the discount code of the different award that I win and technicality among them.

After a few days, I got their mail response, inform me to say they already gave Technical Division to solve problem report, for this they rewarded the discount code of my 1000 Yums to thanks!

Alleviate measure

Whether is in the server end checks email registered on The Fork

This should be the best method that solves this problem, no matter undertake on UI what is checked, answer to carry the safety that finish to check in the server from beginning to end. This will not allow any email addresses that did not register to participate in sales promotion activity.

Page of built-in in process of The Fork application sales promotion

If page of Yummy Days sales promotion is built-in,be in The Fork App, is not to be in embedded open in the browser, so it is very difficult that the URL that wants to examine The Yummy Days is met. If you want built-in Iframe, so I suggest use X-Frame-Options is heading, embed this page only in permission URL, prevent Clickjacking attack thereby.

Prevent the IP address that requests several limitation more than

The time that if same IP is in,provides paragraph inside exceed a certain quantity of request, ought to undertake limitative or prevent.

未经允许不得转载:News » How to discover the safe flaw of Web App Yummy Days? (turn)