贝宝手机验证一直提示错误_暴露您的贝宝密码的错误

贝宝手机验证一直提示错误

When hunting for security issues, the pursuit for uncharted assets and obscure endpoints often ends up taking the focus away from obvious, but still critical, functionality.

在寻找安全问题时，对未知资产和晦涩的端点的追求通常最终会把焦点从明显但仍很关键的功能上移开。

If you approach a target like you are the first person to ever perform a security assessment on it, and check everything thoroughly, I believe you are bound to find something new — especially if the code you are testing has been in continuous development for a while.

如果您像是第一个对目标进行安全评估并彻底检查所有目标的人，我相信您一定会找到新的东西-特别是如果要测试的代码已经持续开发了一段时间。

This is the story of a high-severity bug affecting what is probably one of PayPal’s most visited pages: the login form.

这是一个严重度高的错误的故事，该错误会影响PayPal访问量最大的页面之一：登录表单。

初步发现 (Initial discovery)

While exploring PayPal’s main authentication flow, I noticed a javascript file containing what appeared to be a CSRF token and a session ID:

在浏览PayPal的主要身份验证流程时，我注意到一个javascript文件，其中包含似乎是CSRF令牌和会话ID的内容：

This immediately drew my attention, because providing any kind of session data inside a valid javascript file usually allows it to be retrieved by attackers.

这立即引起了我的注意，因为在有效的javascript文件中提供任何类型的会话数据通常都使攻击者可以检索它。

In what is known as a cross-site script inclusion (XSSI) attack, a malicious web page can use an HTML <script> tag to import a script cross-origin, enabling it to gain access to any data contained within the file.

在所谓的跨站点脚本包含(XSSI)攻击中，恶意网页可以使用HTML <script>标记导入脚本跨源，从而使其能够访问文件中包含的任何数据。

Sure enough, a quick test confirmed the XSSI vulnerability and, although a javascript obfuscator was used to randomize variable names on each request, the interesting tokens were still placed in fairly predictable locations, making it possible to retrieve them with just a bit of extra work.

可以肯定的是，快速测试确认了XSSI漏洞，并且尽管使用了JavaScript混淆器来随机化每个请求的变量名，但有趣的令牌仍被放置在相当可预测的位置，从而只需少量额外的工作即可检索它们。 。