Hacking Book | Free Online Hacking Learning


alipay red packets violence wool

Posted by forbes at 2020-03-21

Recently, I saw a lot of red envelope links in various forums, such as:

What did pangolin say? Open "XXX" to check~

Alipay exploded a huge leak and opened "XXX" to check.

Tencent member 1 yuan for one month, open "XXX" quickly to get it~

Click on the link to automatically jump to Alipay's red envelopes interface, okay, you've been woollen again.

As a safety learner, how can we not pursue hot spots to learn how this magical operation works~

I went to Zhihu to search for a wave. Sure enough, there are all kinds of tycoons sharing the source code. I specially made a source code audit to learn from~

Source code analysis

The source code shared by the big guy is as follows:

For the above code, you need to know the following basic information:

1. Take a look at the Navigator object, which contains information about the browser. The useragent property above is a read-only string that declares the value of the user agent header used by the browser for HTTP requests.

So we can judge whether there are some values in navigator.useragent.


In short, it can be understood as the Uesr agent read by the HTTP request header.

2. For example

window.location.href = /Android|webOS|iPhone|iPod|BlackBerry/i.test(navigator.userAgent) ? "https://www.baidu.com/" :  "http://news.baidu.com/";

By using regular expressions and three eye operators, the meaning is to jump to https://www.baidu.com/ if the mobile terminal is open, or to http://new.baidu.com/ if not. In fact, it is to use regular to determine whether navigator.useragent contains Android / WebOS / iPhone and other strings, and use the modifier "I" Case insensitive, and then use the regular method test to determine whether it is satisfied.

https://www.baidu.com/ http://new.baidu.com/

Introduction of thought

This is a popular source code. The above is my analysis. In fact, the idea is really simple. Let me introduce it in several steps

1, choose the red envelope from Alipay's red envelope interface - > earn money immediately - > two-dimensional code, get a two-dimensional code like this!

2. Get the QR code, use various free websites to analyze and analyze the text links, such as my:

3. Replace the variables A and B at the beginning of the source code, and then drop the web page into your own cloud server. In order to enhance the trust of others, we can also use Sina's short link to generate a domain name that others can't see. With all kinds of eye-catching jokes, we can spread red packets in large quantities~

Code thinking analysis:

1. In fact, it uses the link to jump

2, if app is not aware of the browser's wake-up call, it is equivalent to jump to the browser, then jump to Alipay.

3. If it is wechat, it will further call the interface for Android or IOS to wake up the browser for a second jump

4. At the end of the day, it's using the browser to do a second jump~

As of the release of this paper, the actual measurement:

1. Wechat has been unable to use this code to wake up the browser.

2, the result of the QQ test is that you can only open the built-in QQ browser and then wake up Alipay.

3. For example, UC browser can test directly, or even know and so on;

4, summarize: in fact, if you don't need to call the interface to wake up the browser's app, you can directly connect the Alipay link that you get through the Sina short connection to a hidden short connection to let others click.

You think it's over here?

Wrong, as a safety learner, how can we not analyze from the perspective of safety!

From the security point of view, although this is a big flow of red packets carnival, but we have to prevent criminals from taking the opportunity to construct a variety of malicious links to get personal information!

Maybe the first ten thousand links you clicked are the links that jump to Alipay. You slowly relax your vigilance, forget what your mom and dad said, the warning cases that all kinds of unknown links reported in the news can't be confused.

In fact, the above ways of utilization are known as CSRF. Here is a brief introduction to CSRF attacks.

CSRF attack introduction

CSRF (Cross Site Request Forgery), whose Chinese name is Cross Site Request Forgery

Also known as: one click attack / session riding

one click attack/session riding

Abbreviation: CSRF / xsrf

To put it simply, CSRF is to take advantage of our login or authorization status, and then do something harmful to our own interests.

for instance:

For example, the link of your transfer link is


10 represents the amount, and ID represents the account to which the transfer is made.

You may say that I didn't log in to the bank, so I just click this link.

This understanding is wrong.

Many times, for convenience, most people may use the password remembering function of the browser, or click the login free option on the website;

This is OK in itself, but when you click the bad link, your identity (cookies) will follow you to visit this page, and the bank will think that this is your operation, so the transaction is successful! (of course, in real life, the bank's judgment is not just like this, here is an example)

Physical truth

When hackers find a website's CSRF vulnerability, there may be no way to get you to click on this link before, but when you mix in this Alipay red carnival time, a small link can make you lose what you want.

Pay attention to OWASP TOP10

In 2017, CSRF remained in the top ten~

Go all the way, convenient though good, safety first~