icybear/alipay-deeplink-research
1
0
Fork 0
mirror of https://github.com/sgInnora/alipay-deeplink-research synced 2026-06-27 05:34:17 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
582fa970a39d8aa5abbed714371f57a8aa3a4dbc
alipay-deeplink-research/evidence/server_side_blocking_evidence.md
feng a3825c939f update: SEO/privacy overhaul — 36 CVE stats, redact case numbers, full sitemap 
- Meta/OG/Twitter tags: 17→36 CVEs, 6→9+ countries, SecurityGuard SDK keywords
- Sitemap: 5→12 URLs with correct lastmod dates
- Privacy: redact CSSF/CIRCL/PDPC case numbers, mask regulator staff names
- Content: add 6 new article pages + evidence screenshots
- Numbers: update all CVE counts (6→36, 11 MITRE tickets)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-03-25 05:28:06 +08:00

332 lines
14 KiB
Markdown
Raw Blame History

# Server-Side Real-Time Blocking Evidence
> Evidence that Alipay employs server-controlled, hot-updatable security mechanisms to dynamically block PoC payloads — proving the vulnerability was real and countermeasures were deployed post-CVE-report.
**APK**: `com.eg.android.AlipayGphone` v10.8.30.8000
**Analysis**: jadx decompiled source code
**Date**: 2026-03-16
**MITRE Ticket**: #2005801
---
## 1. Server-Side RPC Permission Checking
### 1.1 NewJsAPIPermissionExtension.java
**File**: `com/alipay/mobile/nebulax/integration/mpaas/extensions/NewJsAPIPermissionExtension.java`
When a WebView page attempts to call any JSAPI (e.g., `tradePay`, `getLocation`, `setTitle`), the permission system sends the loaded URL to Alipay's server for real-time verification:
```java
// Line 337: Server selects which RPC endpoint to use
String str = (z2 && newJsAPIPermissionExtension.f190512f)
? "alipay.hfiveappconfig.appContainerHighLevelCheck" // High-security APIs
: "alipay.mappconfig.appContainerCheck"; // Standard APIs
// Line 340: RPC call sends URL + context to server
newJsAPIPermissionExtension.f190508a.sendSimpleRpc(
str, // RPC method name
this.f190525d.toJSONString(), // Request payload (URL, appId, etc.)
"", true, new JSONObject(), null, false, null,
new H5SimpleRpcListener(...) { ... } // Callback processes server response
);
```
### 1.2 Server Response Processing via FlowCustoms
**File**: `NewJsAPIPermissionExtension.java` line 412
```java
// Server response is processed through FlowCustoms (流量安检) system
newJsAPIPermissionExtension2.b.handleRPCResponse(
page, str4, str3,
new FlowCustomsRpcHandleCallback(loadResultFuture, page) {
// Multiple @Override methods handle: allow, block, alert, redirect
}
);
```
**Key implication**: The server can return **allow**, **block**, or **alert** for ANY URL + JSAPI combination. This means Alipay can add blocking rules for specific URLs (like `innora.ai/zfb/poc/*`) without updating the APK.
### 1.3 NewRedirectUrlPermissionExtension.java
**File**: `com/alipay/mobile/nebulax/integration/mpaas/extensions/NewRedirectUrlPermissionExtension.java`
The same server-side RPC check applies to URL redirects:
```java
// Line 261: Same RPC pattern for redirect URL checking
String str = (z && newRedirectUrlPermissionExtension.f190545f)
? "alipay.hfiveappconfig.appContainerHighLevelCheck"
: "alipay.mappconfig.appContainerCheck";
// Line 263: Sends redirect URL to server for approval
newRedirectUrlPermissionExtension.f190541a.sendSimpleRpc(str, ...);
```
---
## 2. FlowCustoms (流量安检) URL Verification
### 2.1 OuterSchemeVerify.java
**File**: `com/alipay/mobile/flowcustoms/jumpin/OuterSchemeVerify.java`
External scheme URLs (like `alipays://`) are verified through a multi-layer system:
```java
import com.alipay.mobile.flowcustoms.engine.rule.FCRuleController; // Rule engine
import com.alipay.mobile.flowcustoms.rpc.util.FCRpcUtil; // Server RPC
import com.alipay.mobile.flowcustoms.startapp.BlackProductSafeGuardUtil; // Blacklist
public class OuterSchemeVerify {
private FCRuleController ruleController; // Server-synced rules
// ...
// Sends bundle_id + target_appid to server for verification
hashMap.put("bundle_id", OuterSchemeVerify.access$100(this.this$0));
hashMap.put("target_appid", OuterSchemeVerify.access$200(this.this$0));
}
```
**Architecture**: `FCRuleController` downloads rule sets from Alipay's server. `FCRpcUtil` sends real-time verification requests. `BlackProductSafeGuardUtil` maintains a blacklist of dangerous URLs/patterns.
---
## 3. Edge Content Security (Local + Server-Controlled)
### 3.1 EdgeContentDetector.java
**File**: `com/alipay/edge/contentsecurity/EdgeContentDetector.java`
Local content scanning with **server-controlled master switch**:
```java
// Line 276: Server can enable/disable ALL content detection remotely
if ("0".equals(GlobalConfig.getGlobalSwitch(Keys.EDGE_CONTENT_DETECT_COVERAGE_ON))) {
// Detection disabled — server controls this switch
return;
}
```
**5 detector types** (all server-configurable):
- `EdgeTextDetector` — scans page text content
- `EdgePictureDetector` — scans images
- `EdgeScanDetector` — QR/barcode scanning context
- `EdgeLinkDetector` — URL/link analysis
- `EdgeCardDetector` — financial card detection
### 3.2 Server-Controlled Parameters
```java
// Bloom filter configuration from server
GlobalConfig.getGlobalSwitch(Keys.EDGE_CONTENT_BLOOM_FILTER_CONFIG)
// Text detection max length — server-configurable
GlobalConfig.getGlobalSwitch(Keys.EDGE_CONTENT_TEXT_MAX_LENGTH) // default 10240
// Content monitoring rate — server-adjustable
GlobalConfig.getGlobalSwitch(Keys.EDGE_CONTENT_MONITOR_RATE_SWITCH)
// Character format detection — server toggle
GlobalConfig.getGlobalSwitch(Keys.EDGE_CONTENT_CHARSET_FORMAT_SWITCH_ON)
```
**Key implication**: Even if APK v10.8.30.8000 was installed before our CVE report, the server can remotely update detection rules, Bloom filter configs, and monitoring rates to block our specific PoC patterns.
---
## 4. Hot Patch Framework (Instant Remote Code Update)
### 4.1 RealTimeReceiver.java
**File**: `com/alipay/android/phone/mobilecommon/dynamicrelease/hotpatch/RealTimeReceiver.java`
```java
// Line 34: Listens for server-pushed config changes
public static final String ACTION_CONFIG_CHANGED = "com.alipay.mobile.client.CONFIG_CHANGE";
// Line 102: On CONFIG_CHANGE broadcast → sync new hotpatch config from server
if ("com.alipay.mobile.client.CONFIG_CHANGE".equals(action)) {
syncHotpatchConfig(); // Downloads new patches from server
}
// Lines 110-113: Patches triggered on app state transitions
triggerPatch(new AppLogScopedLogger("IR.UserLeaveHint"), USER_LEAVEHINT); // Background
triggerPatch(new AppLogScopedLogger("IR.ToForeground"), TO_FOREGROUND); // Foreground
```
### 4.2 syncHotpatchConfig()
**File**: `RealTimeReceiver.java` line 118
```java
public static void syncHotpatchConfig() {
// Fetches latest hotpatch configuration from Alipay server
// Downloads delta patches for changed methods
// Applies via AInstantRunManager
}
```
### 4.3 PatchProxy — Universal Method Interception
**Every security-relevant method** contains `PatchProxy.proxy()` calls that allow instant hot-patching:
```java
// Example from LegacyShouldLoadUrlExtension.java (URL loading security)
public static ChangeQuickRedirect f80061; // Patch slot
ChangeQuickRedirect changeQuickRedirect = f80061;
if (changeQuickRedirect == null ||
(proxy = PatchProxy.proxy(changeQuickRedirect, "0")) == null) {
// Original code executes
} else {
// HOT-PATCHED code executes instead
return proxy.result;
}
```
**PatchProxy presence confirmed in**:
- `NewJsAPIPermissionExtension.java` — JSAPI permission checks
- `LegacyShouldLoadUrlExtension.java` — URL loading decisions
- `EdgeContentDetector.java` — Content security scanning
- `OuterSchemeVerify.java` — External scheme verification
- `BundleCheckValve.java` — Bundle/dynamic release control
- `StrategyFactory.java` — Strategy pattern routing
- ALL dynamicrelease framework classes
**Key implication**: Alipay can modify the behavior of ANY security-checking method without releasing a new APK. A server-pushed `ChangeQuickRedirect` object replaces the original method logic entirely.
---
## 5. Behavioral Evidence: CVE-3 Timeline
### 5.1 First Test — Success (tradePay triggered)
| Time | Action | Result | File Size |
|------|--------|--------|-----------|
| ~15:40 | Load `payload_cve3_obf.html` via DeepLink | Page rendered (275KB), `tradePay` triggered | **275KB** |
| ~15:43 | tradePay callback received | "交易订单处理失败" error shown | **172KB** |
**Screenshot evidence**:
- `cve3_obf_page_rendered.png` (275KB) — page content visible
- `cve3_tradepay_triggered.png` (172KB) — tradePay error dialog
- `cve3_proof_20260316_155434.png` (172KB) — timestamped proof
### 5.2 Retest — Blocked (all subsequent attempts)
| Time | Action | Result | File Size |
|------|--------|--------|-----------|
| ~15:54+ | Reload same URL | White screen | **~31KB** |
| +retry | Force-stop + re-trigger | White screen | **~31KB** |
| +retry | Different obfuscation variant | White screen | **~31KB** |
| +retry | Clean test (ZERO sensitive keywords) | White screen | **~31KB** |
**Screenshot evidence**:
- `cve3_blocked_on_retest.png` (31KB) — white screen on same URL
### 5.3 Analysis
The **file size differential** (275KB rendered vs 31KB blocked) proves:
1. First request: Server allowed → full page content loaded
2. Subsequent requests: Server blocked → WebView receives empty/error response
3. This is NOT local content filtering (the clean test with zero JSAPI keywords was also blocked)
4. This IS URL-level server-side blocking — the domain/URL was flagged after initial PoC execution
### 5.4 Clean Test Anomaly (CVE-6 evidence)
`payload_test_clean.html` contains:
- ZERO JSAPI call keywords (no `tradePay`, `setTitle`, `showToast`, `getLocation`)
- Only checks `typeof window.AlipayJSBridge`
- Pure HTML with no bridge interaction
**Result**: Also shows white screen (~31KB)
**This proves URL-level blocking**: The server blocks based on the **source URL/domain** (`innora.ai/zfb/poc/`), not based on page content analysis. The URL was added to a server-side blocklist after our initial CVE-3 PoC triggered successfully.
---
## 6. Synthesis: What This Means for MITRE
### 6.1 The Vulnerability Was Real
CVE-3 (`tradePay`) was successfully triggered from an external page loaded via DeepLink. The payment UI appeared with "交易订单处理失败" — proving the JSAPI was callable without domain restriction. This is documented with timestamped screenshots.
### 6.2 Server-Side Countermeasures Were Deployed
After our initial PoC success, the server-side security systems responded:
1. `NewJsAPIPermissionExtension` sent our URL to `alipay.mappconfig.appContainerCheck`
2. Server flagged our domain (`innora.ai`) or specific URL patterns
3. `FlowCustomsRpcHandleCallback` returned "block" for subsequent requests
4. URL-level blocking applied (even clean pages from same domain were blocked)
### 6.3 Hot Updates Enable Silent Patching
The `PatchProxy` + `RealTimeReceiver` framework means:
- **No APK update needed** — patches are pushed server-side
- **Instant deployment** — `CONFIG_CHANGE` broadcast triggers sync
- **Method-level granularity** — any security check can be replaced
- **Even APK v10.8.30.8000 (old version) receives new rules**
### 6.4 Implications for CVE Assessment
1. The "one-time success then blocked" pattern is **evidence of the vulnerability existing**, not evidence of it being non-exploitable
2. Server-side blocking is a **reactive countermeasure**, not an inherent security control
3. An attacker using a **fresh domain/URL** would succeed until that domain is also flagged
4. The vulnerability exists in the **architectural design** (no client-side domain whitelist for sensitive JSAPIs), not in the server-side detection rules
### 6.5 Code Architecture Summary
```
External DeepLink (alipays://platformapi/startapp?appId=20000067&url=...)
├── OuterSchemeVerify ──── FCRuleController (server rules)
│ │ FCRpcUtil (server RPC)
│ │ BlackProductSafeGuardUtil (blocklist)
│ │
│ └── PatchProxy → [hot-patchable]
├── WebView loads external URL
│ │
│ ├── NewJsAPIPermissionExtension ── sendSimpleRpc() → Server
│ │ │ appContainerCheck /
│ │ │ appContainerHighLevelCheck
│ │ │
│ │ └── FlowCustomsRpcHandleCallback
│ │ ├── onAllow() → JSAPI call proceeds
│ │ ├── onBlock() → Page blocked (white screen)
│ │ └── onAlert() → Warning shown
│ │
│ ├── EdgeContentDetector (local, server-controlled switch)
│ │ ├── EdgeTextDetector
│ │ ├── EdgeLinkDetector
│ │ └── EDGE_CONTENT_DETECT_COVERAGE_ON (server toggle)
│ │
│ └── PatchProxy → [ALL methods hot-patchable]
└── RealTimeReceiver
├── CONFIG_CHANGE → syncHotpatchConfig()
├── TO_FOREGROUND → triggerPatch()
└── USER_LEAVEHINT → triggerPatch()
```
---
## 7. Files Referenced
| File | Location | Evidence For |
|------|----------|-------------|
| NewJsAPIPermissionExtension.java | nebulax/integration/mpaas/extensions/ | Server-side RPC permission checking |
| NewRedirectUrlPermissionExtension.java | nebulax/integration/mpaas/extensions/ | Server-side redirect URL checking |
| LegacyShouldLoadUrlExtension.java | nebulax/integration/mpaas/extensions/ | PatchProxy in URL loading |
| FlowCustomsRpcHandleCallback.java | nebulax/integration/base/security/h5jsapi/ | Allow/block/alert response handling |
| OuterSchemeVerify.java | flowcustoms/jumpin/ | External scheme verification |
| FCRuleController.java | flowcustoms/engine/rule/ | Server-synced rule engine |
| FCRpcUtil.java | flowcustoms/rpc/util/ | FlowCustoms server RPC |
| BlackProductSafeGuardUtil.java | flowcustoms/startapp/ | URL/product blacklist |
| EdgeContentDetector.java | edge/contentsecurity/ | Local content scanning |
| EdgeBloomFilter.java | edge/contentsecurity/model/bloom/ | Bloom filter for content sampling |
| RealTimeReceiver.java | dynamicrelease/hotpatch/ | Hot patch config sync |
| BundleCheckValve.java | dynamicrelease/ | Dynamic release control |
All code extracted from jadx decompilation of `Alipay_10.8.30.8000_APKPure.apk`.
Reference in New Issue View Git Blame Copy Permalink