Location>code7788 >text

Some records of secure development and testing of WeChat mini programs

Popularity:877 ℃/2025-01-21 16:41:17

Table of contents
  • Development principles
  • Vulnerability Type - Override of Privilege
  • Vulnerability Type - Information Disclosure
  • Vulnerability type - crawler traversal
  • Vulnerability type - Failure to follow up on changes in authorized user information
  • Vulnerability type - injection class
  • Vulnerability type - upload, download type
  • Reference

This article is based on an article published by the WeChat Developer Platform, with some of my own thoughts added.

background:
If the security of the business interface of the mini program is not considered during the development process, it is easy to have security loopholes, leading to the risk of leakage of personal information and privacy.

This article mainly records someBusiness logic vulnerabilities, this type of vulnerability has two characteristics:

  1. It’s not easy to scan it out automatically;
  2. relatively common;

Development principles

It is recommended that developers always base on the following principles during application development:

  • Principle of mutual distrust: Do not trust data submitted by users, including data provided by third-party systems. Necessary data must be verified in the background.
  • The principle of least privilege: Code, modules, etc. only have the minimum permissions to complete the task, and do not grant unnecessary permissions.
  • It is prohibited to store sensitive user data in clear text: secure encryption is required to avoid dragging the database.
  • Interface authentication: In addition to the login interface, all non-public interfaces should be authenticated and detailed logs should be recorded for traceability.
  • Mini program code (excluding cloud function code) is similar to the front-end code of traditional web applications and can be obtained and deobfuscated externally. Important business logic should be placed in the back-end code or cloud function.
  • Backend interface calls and cloud function calls must undergo effective identity authentication.

Vulnerability Type - Override of Privilege

There is currently no way to automatically detect this kind of vulnerability, which is a business logic vulnerability and is quite labor-intensive.
image
3. Unauthorized

Some mini programs do not set up login authorization checks because their business is public information. As a result, this interface will be used by black and gray products to conduct malicious activities such as information reselling and information monitoring.

Users can access detailed information directly through order ID, mobile phone number, license plate and other information without logging in.

Vulnerability Type - Information Disclosure

There is currently no way to automatically detect this kind of vulnerability, which is a business logic vulnerability and is quite labor-intensive.
image

Vulnerability type - crawler traversal

There is currently no way to automatically detect this kind of vulnerability, which is a business logic vulnerability and is quite labor-intensive.
image

Vulnerability type - Failure to follow up on changes in authorized user information

This is a design loophole. It may not have been designed from the beginning. After the user logs out or updates the user, how will the user's information be handled in the future?

Risk identification
Developers obtain user information through the WeChat mini program API and with the explicit consent of the user. When encountering situations such as expiration of user information, active cancellation by the user, or user cancellation of the account, the developer must promptly clean up the previously obtained user information and comply with regulations in a timely manner. Fulfill corresponding personal information protection obligations and protect user rights and interests.

Handling suggestions
Developers need to set up "message push server configuration" to receive and process notifications about authorization information from the WeChat platform in a timely manner;

/miniprogram/security/basic/

Vulnerability type - injection class

Injection vulnerabilities can now be automatically detected. Just look at his suggested repair methods.

SQL injection
image

Handling suggestions

  • Use the parameterized query provided by the database to perform database operations. Direct synthesis of SQL statements by splicing strings is not allowed.

  • If there are some situations where SQL needs to be synthesized through splicing, the spliced ​​variables must be processed: "For integers, it is necessary to determine whether the variable is an integer type; for strings, single quotes, double quotes, etc. need to be escaped."

  • Prevent web applications from displaying SQL error messages.

  • Ensure uniform coding of each data layer in web applications.

command injection
image

Handling suggestions

  • Filter or escape user-entered data (such as ;, |, &, etc.).

  • Do not trust any content sent by the front end (WEB, applet) in requests. All parameters are type verified and avoid directly executing commands passed by the front end.

Vulnerability type - upload, download type

Such vulnerabilities can now be automatically detected. Just look at the repair methods he recommends.

image

Handling suggestions

  • Correctly parse the file types of uploaded files and limit the file types that can be uploaded through a whitelist;
  • Background check of file binary header;
  • Uploaded files should be isolated from the background running program server;
  • The uploaded file directory does not allow writable or executable permissions;

image
Handling suggestions

  • Correctly limit the directory range where downloadable files are located;

  • Find and download the corresponding file by specifying the file id;

Reference

@Developer, you must read these loopholes!
/s/BSphYEjQb1PCHKW4qTGWXg

Mini Program Security Guidelines
image
/miniprogram/security/basic/

<Previous Next>