Interface call parameter tampering test, interface unauthorized access/call test
Interface call parameter tampering test
Test Principles and Methods
In the business links of SMS and email calls, such as SMS verification codes and email verification codes. After modifying the mobile phone number or email address parameter value in the corresponding request and submitting it, if the modified mobile phone number or email address receives the information sent by the system, it means that the interface data call parameter can be tampered with
Testing process
As shown in the figure, the attacker owns account B, and the user owns account A. The attacker performs a password retrieval operation on account A, and the server sends a password reset message to account A’s mailbox or mobile phone, and the attacker enters the verification code verification link. At this time, the attacker clicks "Resend verification code" and intercepts the resend message Request, change the email address or mobile phone of the user receiving the verification code in the request to your own. A vulnerability exists if a password reset message is received.
The test process takes a mobile App system as an example.
Step 1: As shown in the figure, click "Resend" on the SMS verification code page and capture the data package at the same time.
Step 2: As shown in the figure, modify the param.telno parameter (designated sending mobile phone number) to another mobile phone number in the intercepted data.
Step 3: As shown in the picture